How To Monitor Windows Logins

4 Mins read
 How To Monitor Windows Logins
Every day people log into their computers both at work and at home. It is a step at the beginning of the workday that occurs without a thought. While it is a mundane step (and sometimes annoying if users can’t remember their password) for the employee, it is a critical step that should be monitored on an ongoing basis by IT staff. IT teams are always short on time when an issue develops. Users want a resolution immediately and generally do not understand what it takes to troubleshoot problems. When an issue does take place, the historical monitoring data collected can help identify potential problems. Equally, it can also eliminate issues, allowing the IT staff to get to a resolution quicker.

Here Are Five Important Steps To Take To Monitor Windows Logins.

Make Logins Mandatory

In recent versions of Windows, users can bypass the login screen that automatically appears upon startup. Admins can mandate a variety of different scenarios to force a login. For example, you could use Group Policy to apply a Password Policy which affects the characteristics and behavior of passwords. 
Used for both domain and local user accounts, admins can determine settings for passwords. You can configure the password policy settings by using the Group Policy Management Console on your domain controller in: Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword Policy. Through this policy, you can enforce settings such as password age, length, and complexity.

Use Audit Policies

The audit policy manages the types of events being logged. An admin should manage Audit Account Logon Events and Audit Logon Events. While they sound similar, they handle two very different events. Audit Account Logon Events determine whether or not to audit each instance of a user logging on or logging off of a computer where the computer was used to validate the account. This is located in: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy. 
Audit Logon Events determine whether to audit each instance of a user logging on, logging off, or making a network connection to the computer. This is located in: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy. This setting should be enabled on any machine that needs to be monitored and will record information in the “logon/Logoff” category.

Consider Using Third-Party Tools

There is a wide selection of third-party tools available that work with new or existing Windows Server configurations. Admins can use these tools to help manage a variety of activities that occur on a network. For example, The Event Log Monitor within Power Admin’s Server Monitor can monitor multiple logs within the system, including reporting each time someone logs onto a Windows computer or fails the logon process. 
The Event Log monitor works in real time because it has a configurable monitoring cycle Scheduling option. It even has a testing option so admins can create a dummy event in the log to verify if your current config will identify it or if adjustments to the configuration are necessary.

Account Credential Validation

While not configured by default, Account Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. In enterprise environments, domain accounts are used more often than local accounts. As a result most of the Account Logon events in a typical domain environment take place on the domain controller that is primary for those accounts. 
It is important to remember, however, that these types of events can take place on any computer and may take place in concert on separate computers from Logon and Logoff events. It is important to enable this auditing subcategory to handle local account authentication domain accounts for NT LAN Manager (NTLM) authentication. It can specifically help admins monitor failed logon attempts and potential account attacks. 
For example, event 4776 (S, F) is generated whenever a credential validation will occur when using HTML authentication. While initially this may appear to be a good event to track, it only occurs on the computer that is authoritative for the provided credentials. It will show both unsuccessful and successful credential validation attempts. If the validation attempt fails, you will see a Failure event Error Code value not equal to 0x0. By reviewing the audit logon events such as 4776, anomalies can be more easily identified, which can ultimately help avoid nefarious server access attempts.


While not in wide use in corporate environments today, biometrics is now standard on many new laptops shipping today. Credentials can be anything from a fingerprint to facial recognition using infrared sensors and work together with a PIN. 
Known as “Windows Hello” in Windows 10, authentication does not roam and cannot be easily extracted from a device. Since this data stays local (i.e., no transmission to servers), there is no collection point to easily hack. 
Admins can create a Group Policy or Mobile Device Management (MDM) Policy settings which are available in both User configuration and Computer Configuration under Policies Administrative TemplatesWindows ComponentsWindows Hello for Business. Many predict biometrics will gain wide acceptance by users who wish to avoid remembering yet another password. It will definitely require some user education on how it works and how information stays private.

While it may seem a basic or unnecessary, monitoring Windows logins regardless of their type, it is worth the time spent to become familiar with all the options available to an admin team. When monitoring of event logs is not consistent, it can prove detrimental to any business. For example, the 2012 Verizon Data Breach Report found that even though 85 percent of breaches took several weeks to be noticed, 84 percent of victims had evidence of the breach in their event logs. This level of monitoring should be just one part of a larger IT security strategy put in place. Not only will monitoring Windows logins ensure only authorized employees gain access to a network, it will help identify potential issues with the health and security of a network.

Leave a Reply

Your email address will not be published. Required fields are marked *