deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

finished

Browse Source
This commit is contained in:
Deland-Han 2019-12-06 14:16:17 +08:00
parent 00130f2271
commit b97d876dae
1 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
windows/security/threat-protection/auditing/event-4716.md
View File

@ -154,3 +154,69 @@ For 4716(S): Trusted domain information was modified.
- Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. - Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
## Anonymous Logon
If the account reported in the event is **Anonymous Logon**, it means the password is changed by system automatic password reset. For example:
```
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: <time>
Event ID: 4716
Task Category: Authentication Policy Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: <fqdn>
Description:
Trusted domain information was modified. //When trust gets reset, this event generates
Subject:
Security ID: ANONYMOUS LOGON //Confirms that anonymous logon account is reported when Automatic password reset for the trust is performed
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x3E6
```
After the event, one more event ID is generated:
```
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: <time>
Event ID: 4742
Task Category: Computer Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: <fqdn>
Description:
A computer account was changed.
Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x3E6
Computer Account That Was Changed:
Security ID: CONTOSO\CONTOSOPEERTREE$ //OBJECT representing the TRUST object
Account Name: CONTOSOPEERTREE$
Account Domain: CONTOSO
Password Last Set: 10/9/2019 12:02:08 PM
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/1/2019 4:02:43 PM
Event ID: 4716
Task Category: Authentication Policy Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: W-REDAD-P01.red.lhgroup.de
Description:
Trusted domain information was modified.
Subject:
Security ID: S-1-5-21-1313371058-2156521407-1595812000-1103 //Shows the respective domain Sid
Account Name: U806391a //Users who has modified the attribute.
Account Domain: RED
Logon ID: 0x16049916
```