Authenticators accepted - Indicates which types of authenticators are able to initiate a logon of this type.# - The numeric identifier for the logon type that is reported in audit events in the Security event log.Logon type - The type of logon requested.Remote Desktop (formerly known as "Terminal Services")
AUDIT LOGON WINDOWS
IIS Basic Auth (IIS 6.0 and newer) Windows PowerShell with CredSSP NET USE RPC calls Remote registry IIS integrated Windows auth SQL Windows auth No (except if delegation is enabled, then Kerberos tickets present) Interactive (also known as, Logon locally)Ĭonsole logon RUNAS Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server) IIS Basic Auth (before IIS 6.0) This table includes most common logon types and their attributes relative to credential theft: Logon type In Windows-based computers, all authentications are processed as one of several logon types, regardless of which authentication protocol or authenticator is used. For more information, see Audit logon events. (v) denotes when credentials are exposed.įor management applications that are not in this table, you can determine the logon type from the logon type field in the audit logon events.(-) denotes when credentials are not exposed.The symbols in this table defined as follows: Reusable credentials on destination - Indicates that the following credential types will be stored in LSASS process memory on the destination computer where the specified account is logged on locally:.Logon type - Identifies the logon type initiated by the connection.Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.įor web authentication, use the reference from the table below: Connection method
AUDIT LOGON PASSWORD
Password will also be saved as LSA secret on disk. PsExec \\server -u user -p pwd cmd Creates multiple logon sessions.Īuthenticating to Remote Desktop Gateway. New-PSSession server -Authentication Credssp -Credential cred This may not be the case if the computer is compromised.Įxample: Computer Management, Event Viewer, Device Manager, Services Remote Desktop (failure - logon type was denied)īy default, if RDP logon fails credentials are only stored briefly. If the remote desktop client is configured to share local devices and resources, those may be compromised as well. Includes hardware remote access / lights-out cards and network KVMs.Ĭlones current LSA session for local access, but uses new credentials when connecting to network resources. This table includes guidance for the most common administrative tools and connection methods: Connection method
Whether credentials are exposed to potential theft on the target (remote) computer depends primarily on the windows logon type used by the connection method. In a remote administration scenario, credentials are always exposed on the source computer so a trustworthy privileged access workstation (PAW) is always recommended for sensitive or high impact accounts. This reference information is provided to help identify the risk of credential exposure associated with different administrative tools for remote administration.
0 kommentar(er)
