Windows login packets / events

Windows login packets / events
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Windows login packets / events sheldonrozario 03-10-2006
Posted by on March 10, 2006, 2:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

I'm trying to analyse who is loging on to a windows 2000 server (in an
NT4 domain) and have a network capture over a period of time. Which
packets should I be looking for in order to see the username?

Also is there an event in the security log which shows that a user has
actually logged onto the console or has launched an application via
Citrix? There seems to be heaps of events in the log for logon/logoff.

thanks
Sheldon


Posted by Arek Iskra [MVP] on March 10, 2006, 7:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
> I'm trying to analyse who is loging on to a windows 2000 server (in an
> NT4 domain) and have a network capture over a period of time. Which
> packets should I be looking for in order to see the username?
>
> Also is there an event in the security log which shows that a user has
> actually logged onto the console or has launched an application via
> Citrix? There seems to be heaps of events in the log for logon/logoff.
>
> thanks
> Sheldon
>


How about enabling audit of logon events on Windows 2000 Server itself?

https://www.microsoft.co.ke/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx


--
Arek Iskra
MVP for Windows Server - Software Distribution



Posted by Steven L Umbach on March 10, 2006, 10:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On the Windows 2000 server look for type 1 logon events that would indicate
either a console or TS logon. W2003/XP added a separate logon type for
TS/RDP logon which is type 10. --- Steve

http://www.windowsecurity.com/articles/Logon-Types.html

> Hi,
>
> I'm trying to analyse who is loging on to a windows 2000 server (in an
> NT4 domain) and have a network capture over a period of time. Which
> packets should I be looking for in order to see the username?
>
> Also is there an event in the security log which shows that a user has
> actually logged onto the console or has launched an application via
> Citrix? There seems to be heaps of events in the log for logon/logoff.
>
> thanks
> Sheldon
>



Similar ThreadsPosted
Windows Firewall Dropping Return UDP Packets March 6, 2008, 3:22 am
Can't login to Windows domain January 12, 2008, 6:58 pm
Can't get past Windows login??? March 11, 2008, 7:21 pm
Can DHCP happen before Windows Login September 17, 2007, 1:56 am
Can't past password into windows login screen September 30, 2005, 1:58 pm
integrated fingerprint reader windows login feature January 4, 2006, 2:02 pm
events 529;539;644 May 3, 2006, 11:28 am
No events in XP Security log August 22, 2005, 10:45 am
Re: No events in XP Security log August 22, 2005, 11:35 am
IIS Metabase Events May 17, 2007, 9:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy