Windows logon type 3
What is a Windows logon?
A Windows logon event occurs when a user logs in to a system, kick-starting a logon session. A logon session denotes every time a security principal logs in to a Windows machine. Logon events are useful in identifying anomalous access patterns and user logins. These events can be correlated across various AD machines, like domain controllers, workstations, and Windows servers, to get a full picture of the user's logon session.
Logon types in Windows
Windows logons are categorized based on how a user logs on to a device and what resource is used. Each logon type recorded will have an associated logon session containing all the session details. Some closely monitored logon types include:
| Logon type | What it denotes | When it is recorded |
|---|---|---|
| 2 | Interactive | A user logs on directly to a system. Example: User A logs in to their device by keying in their credentials. |
| 3 | Network | A user accesses a computer over the network. Example: User A accesses a file from a network share. |
| 4 | Batch | A computer runs a batch job. Example: A Windows Scheduler task executes a script that has been scheduled periodically. |
| 5 | Service | A service starts. Example: Antivirus software that runs perpetually. |
| 10 | Remote interactive | A user logs in to a machine remotely. Example: User A logs in to device B using Remote Desktop Connection. |
What is logon type 3?
Logon type 3 denotes a network logon. A network logon or any other logon can take place only after an interactive logon authentication has taken place, as the same credentials used for an interactive logon are applied. Network logon events occur when a user accesses a shared resource over the network. For example, when user A accesses the organization's printer, the actions trigger a logon type 3 event.
Why should logon type 3 events be monitored?
On their own, events of this type may not make much sense. But when correlated with account logons and UBA-based analysis, administrators can identify unauthorized accesses, file modifications, or deletions. Maintaining logs of network resource accesses is one of the requirements of PCI DSS. It is also useful to maintain an audit trail for forensic examination after a security incident has occurred.
How ADAudit Plus helps in monitoring logon types
ManageEngine ADAudit Plus provides a single pane of reporting for all AD changes. Get real-time, UBA-driven insights to detect suspicious and risky changes. Gain full visibility into logons, account lockouts, GPO changes, permission changes, Azure AD changes, file server activity, and more. Our reports can help you:
- Monitor anomalous logons to thwart potential threats with the user logon tracking tool.
- Analyze logon failures using the user logon failure auditing tool.
- Investigate and troubleshoot repeatedly locked-out user accounts with the account lockout examiner.
- View attendance, actual work hours, and more with the employee productivity tracker.
- Examine important file events such as modifications or deletions in real time using the file access tracking tool.
- Inspect changes made to Group Policy configuration with the GPO change auditor.
- Get detailed reports on Azure AD changes in your environment using the Azure AD auditing tool.
- Scan workstations for unauthorized removable media usage and more with the workstation auditing tool.
- Adequately satisfy the regulatory requirements of the GDPR and HIPAA with compliance audit reports.
Try all these features and more for free in a 30-day trial. Alternatively, get on a call with our technical experts to see how ADAudit Plus can help you.
Don't wait for your annual compliance audit.
- Audit your AD and Azure
- Monitor user logon
- Troubleshoot AD lockouts
Thanks!
Please check your inbox for demo details.
