Security - Event 528 (Interactive Logons)

問題描述︰
Security Event 528 with Logon Type = 2 (Interactive) 可以用來查詢使用者的互動式登入
但是某些程式 (像是DameWare 遠端遙控) 也會產生 Event 528 with Logon Type = 2 互動式登入事件
應該如何區分呢? 

說明與方法︰
BACKGROUND
======================
Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons (see event 540).
Event 528 is logged whether the account used for logon is a local SAM account or a domain account.

Example:

Successful Logon:
User Name:administrator
Domain:ELM
Logon ID:(0x0,0x558DD)
Logon Type:2
Logon Process:User32
Authentication Package:Negotiate
Workstation Name:W2MS
Windows XP and Windows Server 2003 add:
Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2}
Windows Server 2003 adds these fields:
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID: -
Transited Services: -
Source Network Address:10.42.42.170
Source Port:3165

This message also includes a logon type code. The logon type code indicates the manner in which the user logged on.

The following table explains the logon type code:
================================
Logon type, Logon title, Description
================================
2, Interactive, A user logged on to this computer at the console.
3, Network, A user or computer logged on to this computer from the network.
4, Batch, Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.
5, Service, A service was started by the Service Control Manager.
7, Unlock, This workstation was unlocked.
8, NetworkCleartext, A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9, NewCredentials, A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10, RemoteInteractive, A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11, CachedInteractive, A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

SUGGESTION
======================
當 "Source Network Address" 是 "-" 時 (沒有 IP) 就有很大的可能是程式產生的
另一個方法就是看 Logon Process 這個欄位~

There is no definite way to distinguish/identify whether or not  a event 528 of logon type 2 is triggered by a real user or just a program.
However, from our experience, we know that programs most often and are likely to use "Advapi" logon process.  (whereas RDP/User uses "User32" logon process.)

Logon Process: (User32 or Advapi)

For interactive (console) logons to a server, the User32 logon process is used, and will be reflected in the security logs in Event ID 528 as you've seen.
Remote connections are able to use both the User32 or Advapi logon processes - which one is used depends on the particular API that a given connection application uses.
(ie: authentication calls to winlogon.exe will use user32.dll - calls to the "logonuser" API will use Advapi)

Microsoft RDP connections use User32 but specify the connection over the network with a '10' as the Logon type.
Other third party remote tools such as Dameware however, just happens to call the Advapi, which is the advanced Win32 API that handles many security functions.
Different remote connection solutions could use either, depending on their design.

Both the advapi.dll and the usere32.dll are capable of servicing a logon request from across the network.
(Note: .dll is short for Dynamic Link Library, a library of executable functions or data that can be used by a Windows application.)

Typically, a DLL provides one or more particular functions and a program accesses the functions by creating either a static or dynamic link to the DLL.
Some DLLs are used only by a specific application, while others, such as advapi.dll, are used by a wide variety of applications.
The name refers to the fact that DLL's contain a library of functions that can be accessed [linked] on demand). The reason one is called over the other depends on which API (application programming interface) the specific application is programmed to call on in order to facilitate a user logon.
If the remote connection application (ie: Dameware, Citrix, RDP etc) is programmed to call the Winlogon API, then the logon process used will be user32.dll. If, however, the application has been written to call LogonUser, then it is the advapi.dll that is used. The reason why advapi is called over user32 comes down to the preference of the person developing the remote access application.

相關參考文件︰
https://support.microsoft.com/KB/326985
https://support.microsoft.com/KB/174073
https://blogs.msdn.com/ericfitz/archive/2004/12/09/279282.aspx
https://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=528&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2
https://www.windowsecurity.com/articles/Logon-Types.html