I am sure that words “user login” or “user logon” has become a part of your dictionary a long time ago now. An you as a network admin on duty or “a guy with a technical background” might be one of a few who actually knows the difference between the two terms.
What you might wonder is how important it is to know about user logons happening on your network. Here are 5 good reasons why:
1. Know Who. When bad things happen the uneasy question “Who Did It?” comes up and you better be prepared. Knowing who was logged in around the time of the security incident provides crucial data for the security investigation and helps you draw a circle of potential suspects.
2. Know What. When somebody is trying to brute force in to a computer on your network you want to know, right? That’s why tracking failed logons attempts is a no brainer. How else do you know what is going on with accounts of your users?
3. Know When. You certainly have a solid account deprovisioning policy in place but something still keeps you up at night. How do you make sure that terminated accounts are no longer used? What if something went wrong and the account of the disgruntled employee is still used somewhere on the corporate network? Well here is when tracking last logon time of your domain accounts comes into play.
4. Know Where. Sometimes knowing where your users have logged on to is really the only way to mitigate the risk of the most dangerous vulnerabilities. The official recommendation from Microsoft to safeguard yourself from the Pass-the-Hash vulnerability is to control where privileged accounts have been used. If you know what computers domain and local administrators have been logging on to you will be able to tell if any of those systems is any less protected and if there is a risk of those credentials being compromised.
5. Know From Where. How do you know that access to resources on your network only comes from expected locations? What if somebody contracts the work out to developers in China gladly passing them on all the legitimate login credentials to explore the inners of your protected network? Tracking the origin (the network location user logon came from) of user logons is the simplest and yet very effective measure to protect your organization from the leakage of sensitive data.
This summarizes the 5 W’s you need to know about logons of your users: Who, What, When, Where and From Where.
Tracking logons is a regular hygiene you have to do to keep your network secure and protect accounts of your users. It turns out that tracking and reporting on user account logons is also one of the key requirements of various regulations such as PCI-DSS, SOX, HIPAA and others. But this is worth whole another story…
Now how do you track user logons without too much trouble? The good news is that experts from the SecureHero team know how. Download Logon Reporter completely for free and get all of the 5Ws of user logons!