Remote Use of Local Accounts: LAPS Changes Everything

Hi mariora, To track the use of the local administrator you can look in the Windows security event log. On the source server you will see event ID 4648 which tells you the name of the source user, the remote machine name connected to and the remote credentials used. On the remote machine you will see Windows security event ID 4624 which tells you the credentials used, the source server name and the source IP address. The auditing that produces these events is enabled by the security baselines provided by Microsoft. To track other user activities across the network, including to non-Windows systems, you need to enable success auditing of ‘Object Access/Audit Filtering Platform Connection’, this will then log event ID 5156 in the Windows security event log. Example; A Linux server log shows a login from IP address 10.0.0.1 to TCP port 22 with a source port of 59109 The Windows security log on the server with address 10.0.0.1 has a corresponding event ID 5156 showing putty.exe making the connection with a matching source port and matching timestamp. The event ID 5156 will tell you the decimal process ID e.g. 7672, this needs to converted in Hex e.g. 1df8 Searching for process creation event ID 4688 containing 1df8 will find, for example; New Process ID: 0x1df8 New Process Name: C:\Program Files\PuTTY\putty.exe And in that log entry will be the account details of the user running the program. Let me know how you get on, Steve