Question

1. Explain what would indicate an external Remote Protocol login within a Windows 2012 server only using the Windows event logs. Include the login type and any additional information?

Answer 1

Answer:-

Event Log forwarding was introduced in Windows Server allowing system administrators to centralize server and client event logs, making it easier to monitor events without having to connect to individual servers. Forwarding uses the DMTF WS-Eventing standard, which is part of the open Web Services-Management (WS-Man) protocol built in to Windows Server as part of the Windows Management Framework (WMF).

for incoming Remote Desktop Connections where the client specified /restrictedAdmin on the command line. Restricted admin mode is an important way to limit the spread of admin credentials in ways they can be harvested by malware using pass-the-hash and related techniques. You should only see with for logon type 10. When you remote desktop into a server with /restrictedAdmin you get full authority on that server but it doesn't carry with you if you access other systems from within that RDP session. This field allows you to detect RDP sessions that fail to use restricted admin mode

The user who just logged on is identified by the Account Name and Account Domain. You can determine whether the account is local or domain by comparing the Account Domain to the computer name. If they match, the account is a local account on that system, otherwise a domain account.

• Security ID: the SID of the account
• Account Name: Logon name of the account
• Account Domain: Domain name of the account in either the DNS name (can be upper or lowercase) or pre-Win2k NETBIOS domain name. In the case of special subjects (well known security principals) like SYSTEM, LOCAL SERVICE, NETWORK SERVICE, ANONYMOUS LOGON this field will be "NT AUTHORITY". It can also be "NT Service" as in the case of virtual accounts for services. See above. Finally, if the account is a local account, this field will be the name of the computer.
• Logon ID: a semi-unique (unique between reboots) number that identifies the logon session just initiated. Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634.
• Linked Login ID: (Win2016/10) This is relevant to User Account Control and interactive logons. When an admin logs on interactively to a system with UAC enabled, Windows actually creates 2 logon sessions - one with and one without privilege. This is called a split token and this fields links the 2 sessions to each other. See Elevated Token above.
• Network Account Name: (Win2016/10)  This appears to always be "-". It seems connected to LogonUser() with LOGON32_LOGON_NEW_CREDENTIALS but I've not been able to produce an example. If you have an event with this field filled in please open a forum posting on this page and let us see it.
• Network Account Domain: (Win2016/10)  see above
• Logon GUID: Supposedly you should be able to correlate logon events on this computer with corresonding authentication events on the domain controller using this GUID.  Such as linking 4624 on the member computer to 4769 on the DC. But the GUIDs do not match between logon events on member computers and the authentication events on the domain controller.

• Process ID is the process ID specified when the executable started as logged in 4688.
• Process Name: identifies the program executable that processed the logon. This is one of the trusted logon processes identified by 4611.

.