Audit Other Logon/Logoff Events

Applies to

  • Windows 10
  • Windows Server 2016

Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.

These other logon or logoff events include:

  • A Remote Desktop session connects or disconnects.

  • A workstation is locked or unlocked.

  • A screen saver is invoked or dismissed.

  • A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.

  • A user is granted access to a wireless network. It can be either a user account or the computer account.

  • A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.

Logon events are essential to understanding user activity and detecting potential attacks.

Event volume: Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes Yes Yes Yes We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events.
Member Server Yes Yes Yes Yes We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events.
Workstation Yes Yes Yes Yes We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events.

Events List:

  • 4649(S): A replay attack was detected.

  • 4778(S): A session was reconnected to a Window Station.

  • 4779(S): A session was disconnected from a Window Station.

  • 4800(S): The workstation was locked.

  • 4801(S): The workstation was unlocked.

  • 4802(S): The screen saver was invoked.

  • 4803(S): The screen saver was dismissed.

  • 5378(F): The requested credentials delegation was disallowed by policy.

  • 5632(S): A request was made to authenticate to a wireless network.

  • 5633(S): A request was made to authenticate to a wired network.