|Platform: win2012r2||Date: (C)2015-10-08 (M)2018-03-24|
Audit Policy: Logon-Logoff: Other Logon/Logoff Events
This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include:
? 4649: A replay attack was detected.
? 4778: A session was reconnected to a Window Station.
? 4779: A session was disconnected from a Window Station.
? 4800: The workstation was locked.
? 4801: The workstation was unlocked.
? 4802: The screen saver was invoked.
? 4803: The screen saver was dismissed.
? 5378: The requested credentials delegation was disallowed by policy.
? 5632: A request was made to authenticate to a wireless network.
? 5633: A request was made to authenticate to a wired network.
Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff!Audit Policy: Logon-Logoff: Other Logon/Logoff Events
(2) WMI: ###
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:22890|