[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Logon Type: 10 - THE OFFICIAL BLOG OF THE SBS "DIVA"
Sun, Dec 2 2007 1:23 bradley

Logon Type: 10

Reading "how" they come in is sometimes a little tricky...

When someone authenticates via RWW, you don't see them coming in via a logon as a "10" http://www.windowsecurity.com/articles/Logon-Types.html rather it's a "3" and an "8".

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date:  12/2/2007
Time:  12:12:21 AM
User:  Domain\User
Computer: SERVER
Description:
Successful Network Logon:
  User Name: User
  Domain:  Domain
  Logon ID:  (0x0,0x5EC3E095)
  Logon Type: 8
  Logon Process: Advapi 
  Authentication Package: Negotiate
  Workstation Name: SERVER
  Logon GUID: {d3edde95-966c-36c4-049d-2040a158d36f}
  Caller User Name: DOMAIN$
  Caller Domain: DOMAIN
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 240
  Transited Services: -
  Source Network Address: xx.xxx.xxx.xxx  <<the IP address of the person logging in will be here
  Source Port: 56886


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

When I rdp to a system from an external location.. that's when you get a "10" in the audit logs. 

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date:  12/2/2007
Time:  3:34:57 AM
User:  SERVER\USER
Computer: SERVER
Description:
Successful Logon:
  User Name: User
  Domain:  SERVER
  Logon ID:  (0x0,0x12382318)
  Logon Type: 10
  Logon Process: User32 
  Authentication Package: Negotiate
  Workstation Name: SERVER
  Logon GUID: -
  Caller User Name: SERVER$
  Caller Domain: WORKGROUP
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 3452
  Transited Services: -
  Source Network Address: xx.xxx.xxx.xxx  << again the person's IP address will be here
  Source Port: 57780


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

If someone is 'banging' on your 3389 port you'll see something like this in the logs:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date:  12/2/2007
Time:  3:38:40 AM
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
  Reason:  Unknown user name or bad password
  User Name: User
  Domain:  xx.xxx.xxx.xxx
  Logon Type: 10
  Logon Process: User32 
  Authentication Package: Negotiate
  Workstation Name: SERVER
  Caller User Name: SERVER$
  Caller Domain: WORKGROUP
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 3876
  Transited Services: -
  Source Network Address: xx.xxx.xxx.xxx  << IP address of person attempting access
  Source Port: 57793


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Play around with various access means in your network.. watch the event codes on the system and keep track of what each means of how someone is attempting to access.  If you see logon type 10's that means you have your 3389 port exposed to the world.  While a good strong passphrase is "good enough" security, remember that a little dash of paranoia to limit the access to that port is also a good thing.

Understanding your log files and the codes that mean how they accessed it always helps to understand a system better.

Filed under:

# Tracking who accessing corporate resources with RWW

Sunday, December 02, 2007 4:14 PM by Scorpion Software Corporate Weblog

Susan Bradley blogged about how she uses RWW-Guard to monitor who is logging in via Remote Web Workplace (RWW) on SBS 2003. I love seeing comments like this, as it shows real world usage of our products in the field in a way that solves real pain points

# re: Logon Type: 10

Tuesday, December 04, 2007 8:13 AM by Amy

I would also suggest using those cool new event log features to segregate out the 3,8 and 10 login types so you can find them easier when reviewing the logs.