I know, it was a tong-in-cheek comment. Like you I thought there was an EventID description that differentiated between an interactive logon and other types.
Have you looked on http://www.ultimatewindowssecurity.com ? Specifically: http://www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx Dave From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Thursday, June 28, 2012 9:28 AM To: NT System Admin Issues Subject: RE: Identifying service accounts that are loggin in interactively Keep in mind what I'm trying to do here. Not trying to figure out a way to make sure they can't do interactive logon. I need to prove to audit that they didn't logon interactively. That means a report from the security logs. Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:> [cid:image001.jpg@01CD5515.583E3B40] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: David Lum <david....@nwea.org<mailto:david....@nwea.org>> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Date: 06/28/2012 12:21 PM Subject: RE: Identifying service accounts that are loggin in interactively ________________________________ Set a GPO to prevent them from being interactive and see what breaks :P From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Thursday, June 28, 2012 7:37 AM To: NT System Admin Issues Subject: Identifying service accounts that are loggin in interactively Is anyone else tasked with doing this? This is a new requirement from audit. We have about 1,000 accounts that are being used to run services in the environment. So audit is asking how we know these accounts aren't being used to logon interactively. All security logs are being shipped to or SEIM system. The question is how to identify this. My thought it that it would have to be an event from the member servers security log with an event ID of 528 where the logon type is not 5. Environment is FFL 2003. Initially I thought we would be able to distinguish this from just the domain controllers security logs. but that does not seem to be the case. Just looking at the domain controller logs, there doesn't seem to be any differentiation between the logon type, that is captured at the machine they are logging on from. If anyone has recommendations on how to do this differently or if they see a problem I'm missing, let me know. Thanks Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:> [cid:image001.jpg@01CD5515.583E3B40] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
