On ‐Premise Logon Types - ToddMaxey/Technical-Documentation GitHub Wiki

Understanding Windows Logon Types and Security Logs

The Windows operating system accommodates a variety of logon sessions, each tailored to a specific mode of user interaction. These modes encompass local console access (termed 'interactive') and Remote Desktop sessions (referred to as 'remote interactive'), among others. Both local and domain accounts can be utilized across these logon types, and the system assigns specific numerical identifiers to each logon type, which are recorded in the Windows Security event log when a logon occurs.

In addition to logon types, certain logon rights must be granted for a user to initiate a specific type of logon. These rights can be inspected and configured using tools like the Local Security Policy console (secpol.msc) under the path Security Settings \ Local Policies \ User Rights Assignment. Understanding logon types and their associated rights is critical for system administrators, especially when analyzing security events and troubleshooting authentication issues.

Below is a detailed explanation of the most common Windows logon types, their numeric identifiers, typical use cases, and the corresponding logon rights required.

Windows Logon Types

| Logon Number | Logon Type | Description | Example | Logon Right |

| --- | --- | --- | --- | --- |

| 0 | System | This type is used only by the system account during system startup processes. No user interaction is involved. | System startup or background system processes. | Not applicable (reserved for system use) |

| 2 | Interactive | Local logon at the physical console of the computer. This logon type is used when a user physically logs in to the computer. | User logs in at the console at the beginning of the day. | Log on locally |

| 3 | Network | This logon type is used when a user accesses a resource on a network from a remote system. Typically used for accessing file shares or printers. | Accessing a shared folder on another computer through a mapped network drive. | Access this computer from the network |

| 4 | Batch | Used for scheduled tasks that run under a specific user account without user interaction. | A scheduled task configured in Task Scheduler runs as a specific user account. | Log on as a batch job |

| 5 | Service | This logon type is used by services that run under a specific user account. These services start automatically or manually and can have permissions defined by their associated account. | A Windows service runs under an account with specific credentials, such as a backup service. | Log on as a service |

| 6 | Proxy (Legacy) | This logon type was historically used in older versions of Windows for remote proxy-type logon scenarios. It is now mostly obsolete and rarely seen. | Obsolete; no modern usage. | Not applicable |

| 7 | Unlock | This logon type occurs when a user unlocks a system that has been locked (e.g., after a password-protected screensaver). The user reauthenticates by entering credentials to unlock the system. | A user unlocks their workstation after returning from a break. | Inherited from the original logon session (typically interactive) |

| 8 | NetworkCleartext | This logon type occurs when credentials are sent in cleartext over the network. It is most commonly used in scenarios like IIS basic authentication, where credentials are transmitted without encryption. | A user logs into a web service using basic authentication, which sends credentials in cleartext. | Dependent on authentication mechanism (cleartext credentials) |

| 9 | NewCredentials | This logon type allows a user to use different credentials for outbound connections while maintaining their current local session. Commonly used for operations like RunAs. | A user maps a network drive using alternate credentials with the net use command. | Not applicable (credentials are used only for outbound connections) |

| 10 | RemoteInteractive | This logon type is used for Remote Desktop or Terminal Services logons, where the user interacts with a remote system. | A user logs into a server via Remote Desktop Protocol (RDP). | Log on through Remote Desktop Services |

| 11 | CachedInteractive | This logon type is used when domain credentials are cached locally, and the user logs in without a direct connection to the domain controller. Typically used on laptops that are disconnected from the corporate network. | A user logs into their laptop while disconnected from the network using cached domain credentials. | Not applicable (logon uses cached credentials) |

Event Logging and Audit Policies

When a logon event occurs, it is logged in the Security log under specific event IDs. For example:

  • Event ID 4624: Successful logon.

  • Event ID 4625: Failed logon attempt.

In these event logs, the Logon Type is recorded using its numerical identifier, as shown in the table above. Administrators should note that depending on the type of logon, the nature of the user account, and the system on which the logon occurs, the specific event details will vary. The log will include important security-relevant details such as the username, domain, IP address, and more.

To ensure that Windows properly logs these events, system administrators must configure Audit Policies. These can be set using either Local Security Policy or Group Policy (for domain-joined machines). For comprehensive auditing of logon events, it is recommended to enable the following:

  • Audit logon events: Captures both successful and failed logon attempts.

  • Audit account logon events: Monitors attempts to log on to an account (especially useful in domain environments).

Properly configured audit policies help detect unauthorized access attempts, monitor user activity, and comply with security regulations.

Managing Logon Rights

Logon rights dictate which users are allowed to perform specific logon types. These rights can be managed through the Local Security Policy (secpol.msc) or via Group Policy (gpedit.msc). Under the User Rights Assignment section, administrators can assign or deny specific logon rights to users or groups.

Common logon rights include:

  • Allow log on locally: Determines which users are permitted to log on directly at the system’s console.

  • Access this computer from the network: Controls who can connect to the computer over the network (logon type 3).

  • Log on as a service: Defines which accounts can start services using their credentials (logon type 5).

  • Log on through Remote Desktop Services: Specifies which users are allowed to log on via Remote Desktop (logon type 10).

It’s important to review and manage these rights carefully, particularly in environments where security is paramount. Misconfigurations can lead to either unintended access or improper restrictions that hinder normal operations.