 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the logon slash logoff category of advanced security auditing for Windows Server. These policies are separate from the advanced security auditing policies under the account logon category, which we cover in another video. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that will be published in the coming weeks. Our aim is to provide you with a comprehensive understanding of advanced security auditing in Windows Server and active directory environments. Logon slash logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories. Audit account lockout. Audit user slash device claims. Audit IPsec extended mode. Audit group membership. Audit IPsec main mode. Audit IPsec quick mode. Audit logoff. Audit logon. Audit network policy server. Audit other logon slash logoff events. Audit special logon. These policies are separate from the account logon category, which is more related to the authentication process and which is covered in another video. Some of these policies are related to IPsec and are only useful if you're deep down the rabbit hole with trying to figure out why IPsec isn't working on a computer. The audit account lockout policy enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting an audit event is generated when an account cannot log on to a computer because the account is locked out. Account lockout events are essential for understanding user activity and detecting potential attacks. Microsoft recommends tracking account lockouts, especially for high value domain or for local accounts, including database administrators, built in local administrator account, domain administrators, service accounts, domain controller accounts, and other accounts of that nature. Only one event ID is generated in the local computer security log when you enable this auditing category. The audit group membership policy allows you to audit group memberships when they're enumerated on the client computer. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. Only one event ID is generated in the local computer security log when you enable this auditing category. The audit user slash device claims policy allows you to audit user and device claims information in the accounts logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. Only one event ID is generated in the local computer security log when you enable this auditing category. The audit IP sec extended mode policy allows you to audit events generated by internet key exchange protocol, IKE and authenticated internet protocol, or 5T during extended mode negotiations. This policy is useful for diagnosing problems if you are troubleshooting IP sec, if other avenues don't work. Event IDs generated in the security log when you enable this auditing category are displayed on the screen. More detail is available in the article linked below. The audit IP sec main mode policy allows you to audit events generated by internet key exchange protocol, IKE and authenticated internet protocol, or 5T during main mode negotiations. This policy is useful for diagnosing problems if you are troubleshooting IP sec, if other avenues don't work. Event IDs generated in the security log when you enable this auditing category are displayed on the screen. More detail is available in the article linked below. The audit IP sec quick mode policy allows you to audit events generated by internet key exchange protocol, IKE and authenticated internet protocol, or 5T during quick mode negotiations. This policy is useful for diagnosing problems if you are troubleshooting IP sec, if other avenues don't work. Event IDs generated in the security log when you enable this auditing category are displayed on the screen. More detail is available in the article linked below. The audit log off policy determines whether the operating system generates audit events when log on sessions are terminated. These events occur on the computer that was accessed. For an interactive log on, these events are generated on the computer that was logged on to. Log on events are essential to understanding user activity and detecting potential attacks. Log off events are not 100% reliable. Bailed log offs, such as when a system abruptly shuts down, do not generate an audit record. Event IDs generated in the security log when you enable this auditing category are displayed on the screen. More detail is available in the article linked below. The audit log on policy determines whether the operating system generates audit events when a user attempts to log on to a computer. These events are related to the creation of log on sessions and occur on the computer that was accessed. For an interactive log on, events are generated on the computer that was logged on to. For a network log on, such as accessing a share, events are generated on the computer that hosts the resource that was accessed. The following events are recorded. Log on success and failure. Log on attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying, but accounts credentials. This most commonly occurs in batch configurations, such as scheduled tasks, or when using the runner's command. Security identifiers, SIDs are filtered. Log on events are essential to tracking user activity and detecting potential attacks. Event IDs generated in the security log when you enable this auditing category are displayed on the screen. More detail is available in the article linked below. The audit network policy server policy allows you to audit events generated by Radius, IIS, internet authentication server, not the web server, that's just my Australian accent for those that are confused, activity related to user access requests. These requests can be grant, deny, discard, quarantine, lock and unlock. If you configure this subcategory, an audit event is generated for each IIS and NAP user access request. Network access protection, NAP hasn't been included on Windows Server since it was deprecated a decade ago. Wings survive though. Wings is the cobalt of Windows Server roles and features. This subcategory generates events only if NAS or IIS role is installed on the server. The audit other logon slash logoff events policy determines whether Windows generates or did events for other logon or logoff events. These other logon or logoff events include a remote desktop session connects or disconnects, a workstation is locked or unlocked, a screensaver is invoked or dismissed, a replay attack is detected. This event indicates that a Cobra's request was received twice with identical information. This condition could also be caused by network misconfiguration. A user is granted access to a wireless network. It can be either a user account or the computer account. A user is granted access to a wired 802.1x network. Logon events are essential to understanding user activity and detecting potential attacks. Event IDs generated in the security log when you enable this audit in category are displayed on the screen. More detail is available in the article linked below. The audit special logon policy determines whether the operating system generates audit events under special sign on or logon circumstances. This subcategory allows you to audit events generated by special logons such as the following. The use of a special logon, which is a logon that has administrative equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a special group. Special groups enable you to audit events generated when a member of a certain group has logged onto your network. You can configure a list of group security identifiers, SIDs in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is written to the log. This subcategory is very important for auditing on domain controllers because of special groups related events. This policy allows you to track account logon sessions to which sensitive privileges were assigned. This video provided an introduction to Windows Server Advanced Security Auditing Logon slash Logoff Policies. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. Is there any ADDS security or Windows Server related topics you'd like us to cover in a future video? If so, mention it below. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren and if you've got any questions or feedback, drop a comment below.