Authentication is a process of verifying the identity. It can be object, person or service. Object authentication verifies that an object is genuine. Person or service authentication verifies that the credentials entered are authentic. In the context of networking, authentication is proving identity to a network application or resource. Active Directory Domain Services is the recommended and default technology for storing identity information (including the cryptographic keys that are the user’s’ credentials). Active Directory is required for default NTLM and Kerberos implementations.
There are range of authentication techniques, simple logon to more powerful security mechanisms. Simple logon identifies users based on something that only the user knows — like a password. While powerful security mechanisms uses something that the user has — like tokens, public key certificates, and biometrics.
Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest are default set of authentication protocols implemented by windows operating system. These protocols enables authentication of users, computers, and services which in turn enables authorized users and services to access resources in a secure manner.
Some of the events that needs to be tracked to analyze users authentication behavior are as follows
| event id | description | ||
| 4624 | An account was successfully log on | ||
| 4625 | An account failed to logon on | ||
| 4634 | An account was logged off | ||
| 4647 | User initiated logoff | ||
| 4768 | A Kerberos authentication ticket (TGT) was requested | ||
| 4769 | A Kerberos service ticket was requested | ||
| 4771 | Kerberos pre-authentication failed |
No comments:
Post a Comment