Why don’t I see the workstation name in logon events?

Top reasons:

1. In NTLM logons, it's subject to spoofing.  There exist hacking tools which improperly populate the workstation field of the logon request.  I don't know if this is intentional or not.

2. There is no way to carry this information in LDAP requests; AD logon events will never have the workstation name.

3. As discussed in a previous post about account logon events, there's not a standard way for us to carry this information in a Kerberos ticket request.  There's no place for us to put it in the Kerberos ticket without breaking compatibility.

4. Reverse lookup (DNS or NetBIOS) is unreliable and insecure, and not configured in many locations.



Comments (0)

Skip to main content