A comprehensive guide to Windows logon audit: Go beyond native Windows solutions

Effective Windows logon auditing is crucial for maintaining security and compliance in any organization. This guide explores advanced techniques, including the use of UserLock, to go beyond the limitations of native Windows auditing tools.

The importance of accurate logon auditing

There are many reasons why organizations need a full and accurate Windows logon audit.

Forensic analysis

For one, a comprehensive logon audit makes it easier to perform accurate IT forensics. Here's how CISA defines computer forensics:

"From a technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case."

Couldn't have said it better ourselves.

Regulatory compliance

Similarly, organizations must demonstrate how they protect data from unauthorized access to meet regulatory compliance requirements.

A log of user logon activity is a common requirement across nearly all major compliance and cyber insurance requirements.

The logon audit is critical because it demonstrates that you know who accesses your systems (or attempts to), when, and how.

Employee monitoring

A logon audit also allows you to monitor employee access in various ways:

• Verify the attendance/working hours of any employee

• Monitor specific session types such as remote desktop sessions or VPN sessions

• See at a glance who has last logged on to a particular machine

• Detect suspicious activities like multiple logon failures

• View the complete logon history of any user or machine in the domain

Challenges with native Windows logon auditing

Auditing Windows logon events natively isn't easy. Logon session auditing is even trickier. Here's why.

Complexity of event logs

Manually auditing native Windows logon event logs takes a lot of time. The logs are hard to understand and too time-consuming to manually audit.

After all, Windows can record over 200 different event logs — whether an informational event, a warning, an error or a security event.

Limitations of event viewer

Windows generates these events not only when a user physically logs on to the system, but when accessing a shared resource from a remote computer. The sheer amount of data, and the inability to filter it, makes it incredibly difficult to spot problems.

The graphical user interface tool that most administrators are familiar with when it comes to event logs is Windows Event Viewer. But remember, Microsoft didn’t design Event Viewer to be an auditing solution. Microsoft designed it as a centralized application for viewing event data.

Challenges with native Windows event viewer

While Windows Server 2008 introduced an XML-based log format for event logs, these logs can be complex and difficult to manage. Tools like Windows Event Viewer, though useful, are not designed for comprehensive auditing.

Key challenges include:

• Visibility: With over 200 different event logs, finding relevant information can be like searching for a needle in a haystack of log entries.

• Complexity: Event logging aims to consolidate the raw event data and make it available centrally. But it's hard to skim through event log data, and even harder to find a specific event.For example, the event ID for a user logon event is 4624, an account failed to logon is 4625, and an attempted logon using explicit credentials is 4648. You have to comb through specific field values within multiple log entries, then “puzzle piece” your way to a potential answer.

• Manual effort: Event viewer demands significant manual effort, and time, to filter through and analyze logs. You have to put the pieces together yourself. The “automation" event viewer offers is minimal: WMI filtering or the Task Scheduler to send alerts. If you need audit data, you have to do the work.

• Audit-friendliness: Auditors like to ask specific questions. Obtaining the answer to a seemingly simple question requires some complex filtering, consolidation of events, and digging into the event results to find the answer. In reality, Event Viewer isn’t designed to specifically meet the needs of auditors; there is no delegation of log access to given an external auditor the ability to run their own queries, there is no intelligent way to query the event data, and the data itself is presented at the operating system level and not at a level where an auditor can gain insight into what’s actually happening within your environment.

With an overwhelming amount of data in so many individual logs on each of their servers, administrators have had to learn more efficient ways to retrieve the specific information they’re looking for.

Enhance auditing with UserLock

UserLock offers extensive session auditing and reporting on all windows logon activity across the whole network — far beyond what Microsoft includes in Windows Server and Active Directory auditing. Agent deployment is a breeze and pricing makes it affordable for SMBs and enterprises alike.

With UserLock:

• Record and report on all user connection events to provide a central audit across the whole network

• Generate detailed reports on any or all session types for select time periods, users and groups

• Filter and sort the audit to show only the most pertinent results for your business

• Achieve tamper-proof auditing as all administrator activity is itself stringently audited and securely archived

• Get scalable auditing that works whether you have 100 or 100,000 users

A step-by-step guide to setting up logon auditing

With native Windows tools

Step 1: Open the Group Policy Management Console

1. Press Windows Key + R, type gpmc.msc, and press Enter. This will open the Group Policy Management Console.

Step 2: Create a new Group Policy Object (GPO)

1. In the Group Policy Management Console, navigate to your domain or the Organizational Unit (OU) where you want to apply the policy.

2. Right-click the domain or OU, and select "Create a GPO in this domain, and Link it here..."

3. Name the new GPO something descriptive, like "Audit Account Logon Events" and click OK.

Step 3: Edit the GPO to enable auditing

1. Right-click your newly created GPO and select Edit. This opens the Group Policy Management Editor.

2. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff.

Step 4: Configure account logon event auditing

1. In the right pane, find "Audit Logon" and "Audit Logoff."

2. Double-click on "Audit Logon."

   • Check the boxes for "Configure the following audit events."

   • Select "Success" and "Failure." Click OK.

3. Double-click on "Audit Logoff."

   • Check the boxes for "Configure the following audit events."

   • Select "Success" and "Failure." Click OK.

Step 5: Apply the GPO to the domain controllers

1. Navigate back to the Group Policy Management Console.

2. Link the GPO to the Domain Controllers OU if it’s not already linked there.

Step 6: Force Group Policy update

1. Open a Command Prompt with administrative privileges on your Domain Controllers.

2. Type gpupdate /force and press Enter to apply the new Group Policy settings immediately.

Step 7: Verify the configuration

1. Open Event Viewer on one of your Domain Controllers.

2. Navigate to Windows Logs -> Security.

3. Look for events with ID 4624 (An account was successfully logged on) and 4634 (An account was logged off).

Notes

• Event ID 4624 indicates a successful logon.

• Event ID 4634 indicates a logoff.

Example event descriptions

• 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon Type: 3 New Logon: Security ID: S-1-5-21-345677890-1234567890-1122334455-1001 Account Name: User1 Account Domain: Domain Logon ID: 0x5ed6 Logon GUID: {00000000-0000-0000-0000-000000000000}

• 4634: An account was logged off. Subject: Security ID: S-1-5-21-345677890-1234567890-1122334455-1001 Account Name: User1 Account Domain: Domain Logon ID: 0x5ed6

With UserLock

Once you've installed UserLock and configured a database, UserLock detects and audits all connections through the Desktop agent deployed on your protected users' machines.

In the same way, UserLock automatically detects terminal connections, since the Desktop agent is deployed on terminal servers (no need to install anything on thin clients).

This means that you don't need to create a new protected account to audit a user connection. All you have to do to start auditing connections is to install the UserLock agent.

UserLock audits and saves all user session events from protected machines in the UserLock database.
You can choose between two UserLock consoles:

• The Windows desktop console

• The UserLock web app

Both give you an instant, real-time overview of all logon/logoff and session activity on the network monitored by UserLock.

UserLock syncs with Active Directory every 5 minutes. For comparison, Duo syncs with Active Directory twice a day.

When a domain user connects to the network, the UserLock agent sends the server a set of data.

UserLock audits:

• The connection type requested: Workstation, terminal, Wi-Fi, VPN, IIS, SaaS.

• The connection event type: Logon, reconnection, disconnection, logoff, lock, unlock.

• The user: Domain, username.

• The source: Machine or device name, IP address.

The agent retrieves this information when the user submits a connection event, and sends the information encrypted to the UserLock server, which determines the time of the connection request and saves the data in the database.

With UserLock, all user connection information performed on agent hosts is collected and stored centrally, and readily visible in the UserLock dashboard.

Step 1: Open the UserLock console

After installation and configuration, open the UserLock console or web app.

Here's what the UserLock web app's dashboard looks like (this image and those below come from the UserLock web app):

Step 2: Go to the "Reporting" tab

Using the connection event data in the database, UserLock allows you to create custom reports or generate predefined reports directly from the console.

Step 3: Select a predefined or custom report

Predefined reports include:

Session history: The detailed list of every connection (logon, lock, unlock, disconnection, logoff, users, machines, domains, etc.) available for all session types.

User status history: The list of status changes for every user and the reasons.

Session statistics: The total number of sessions, the total time and average time per session for a user on a defined period.

Session count evolution: Changes in the number of all the interactive sessions open on the network.

Here's an example of what you'll see on the user sessions overview:

Wi-Fi/VPN sessions: History and statistics with additional relevant filters.

Here's an example of a VPN sessions report:

IIS sessions: List all IIS session events and filter by time and date. See user, domain, session start and end, machine, and IIS server.

Here's what the IIS session history report looks like:

MFA events: All MFA events, successful and failed, across your network.

MFA help requests: Review and record MFA help requests in one central dashboard.

Here's an example of what you'll see in the MFA events report:

Administrator actions: Track and report on all UserLock administrator actions.

Working hours: Use the logon/logoff timestamps to track working hours for AD users, groups, or OUs.

Here's what a monthly working hours report can look like for one user:

UserLock also allows:

• The ability to view raw data in table format from the database.

• A tool view allowing you to submit an SQL query from the console itself.

You can export these reports in the format of your choosing (PDF, XLS, HTML, CSV, etc…). Reports can be customized and scheduled to be generated and sent via email periodically.