Windows Account Logon Impersonation Level

Impersonation level is seen in Windows Server 2012 and above.

A new logon event is generated on the computer where the resource is located, on behalf of the user for whom effective access is being checked. When analyzing security audit logs for user sign-in activity, to differentiate between logon events that are generated because of effective access and those generated because of an interactive network user sign in, the Impersonation Level information is included. When the logon event is generated because of effective access, the Impersonation Level will be Identity. A network interactive user sign in typically generates a logon event with the Impersonation Level = Impersonation or Delegation.

Various degrees of impersonation is provided by windows through impersonation levels. This levels indicate how much authority is given to server when it is impersonating the client.

Currently, there are four impersonation levels are available: 

• Anonymous

RPC_C_IMP_LEVEL_ANONYMOUS. The client is anonymous to the server. The server process can impersonate the client, but the impersonation token does not contain any information about the client. This level is supported only over the local interprocess communication transport. All other transports silently promote this level to identify.

• Identify

RPC_C_IMP_LEVEL_IDENTIFY. The system default level. The server can obtain the identity of the client, and the server can impersonate the client in order to do ACL checks.

• Impersonate

RPC_C_IMP_LEVEL_IMPERSONATE. The server can impersonate the security context of the client while acting for the client. The server can access local resources as the client. If the server is local, it can access network resources as the client. If the server is remote, it can access only resources that are on the same machine as the server.

• Delegate

RPC_C_IMP_LEVEL_DELEGATE: The most powerful impersonation level. When this level is selected, the server (whether local or remote) can impersonate the security context of the client while acting on behalf of the client. During impersonation, the client credentials (both local and network) can be passed to any number of machines.

Impersonation Level:

	impersonation level	description
	%%1832	Identification
	%%1833	Impersonation
	%%1840	Delegation
	%%1841	Denied by Process Trust Label ACE
	%%1842	Yes
	%%1843	No
	%%1844	System
	%%1845	Not Available
	%%1846	Default
	%%1847	DisallowMmConfig
	%%1848	Off
	%%1849	Auto

Json log sample:

{

"EventTime": "2017-12-04 05:00:00",

"Hostname": "LPWXDC.ChangeMe.local",

"Keywords": -9214364837600034816,

"EventType": "AUDIT_SUCCESS",

"SeverityValue": 2,

"Severity": "INFO",

"EventID": 4624,

"SourceName": "Microsoft-Windows-Security-Auditing",

"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",

"Version": 1,

"Task": 12544,

"OpcodeValue": 0,

"RecordNumber": 409583434,

"ProcessID": 824,

"ThreadID": 19048,

"Channel": "Security",

"Message": "An account was successfully logged on.",

"Category": "Logon",

"Opcode": "Info",

"SubjectUserSid": "S-1-0-0",

"SubjectUserName": "-",

"SubjectDomainName": "-",

"SubjectLogonId": "0x0",

"TargetUserSid": "S-1-5-18",

"TargetUserName": "LPW",

"TargetDomainName": "LP",

"TargetLogonId": "0x1828eb397",

"LogonType": "3",

"LogonProcessName": "Kerberos",

"AuthenticationPackageName": "Kerberos",

"LogonGuid": "{FD1B49BA-A5E9-5D7D-D3F4-D925B43807F2}",

"TransmittedServices": "-",

"LmPackageName": "-",

"KeyLength": "0",

"ProcessName": "-",

"WorkstationName": "LPLONSERVDBVM",

"IpAddress": "10.0.2.10",

"IpPort": "60208",

"ImpersonationLevel": "%%1833",

"EventReceivedTime": "2017-12-04 05:00:00",

"SourceModuleName": "wineventlog_in",

"SourceModuleType": "im_msvistalog"

}