What is logon ?

In simple words logon is a process of gaining access to local or remote systems using valid credentials. The user information is validated by Local Security Authority (LSA).

<aside> ❗ LSA is an ecosystem, a concept. The associated operating system-level process we will see is called LSASS.exe

</aside>

Untitled

If successful, a logon session (in dashed pink) will be created with which an Access Token will be associated.

How many types of logon are there? / Overview of Windows Logon Types

Untitled

  1. Used by the system when booting.
  2. Interactive logon can be done by entering a password, a SmartCard, using biometric recognition with Hello for Windows, using a PIN.
  3. It happens when we try to access a network share or when we use Powershell Remoting (WinRM) or WMI.
  4. Typically used in the context of Windows schedule tasks.
  5. Similar to "Batch" but related exclusively to services ( e.g. SQL Server, IIS)
  6. THE DEFINITION IS NOWHERE TO BE FOUND!
  7. When you are working on a machine and you temporarily lock it for coffee and come back after some time, in that case the logon type Unlock is generated
  8. When third-party software is used and we enter credentials in plaintext, they are then encrypted using an authentication package.

Untitled

  1. When I am logged onto a machine with an interactive session and I run the runas command with another user's credentials, the moment they pass the validation stage a new interactive session is opened for a different user:

    Untitled

    However, when the runas command is run with the parameter \\netonly, a new logon session is created but the identity for accessing local resources remains the same (in the example prod\user1) but if I need to access remote resources, I will use the user specified in the runas command (in the example you can see that you can do the dir of C$ on the Domain Controller since for remote resources we are for all intents and purposes the Administrator user):

    Untitled

    Untitled

  2. Classic RDP