4717 System security access was granted to an account
Written when a logon right to the system (network logon, allow Remote Desktop, and so on) is granted to an account. It is a change that adds access paths, relating to an attacker establishing a foothold.
Overview
The subcategory is Audit Authentication Policy Change. It is generated when the local logon user-rights policy is changed and a logon right is granted to an account. If granted to multiple accounts, one event appears per account.
How it is triggered
- When a logon right such as “Access this computer from the network”
SeNetworkLogonRight, “Allow log on through Remote Desktop Services”SeRemoteInteractiveLogonRight, or “Log on as a service” is granted. - A change via Local Security Policy / Group Policy.
Security review points
- An attacker may grant remote-logon or network-logon rights to an account they control to secure an access path. Investigate logon-right grants to unexpected accounts.
- If a “Deny logon” right is loosened, a previously blocked path opens, so note that too. Together with removal 4718, track the evolution of logon rights.
Notes for log review
- It is also granted during server build-out and operational changes. Match against normal patterns of the granted logon-right type and target account.
- Monitor at high priority especially remote-logon grants to high-privilege accounts or sensitive servers. Its content can overlap with user-rights assignment 4704.
Key fields
| Field | Meaning |
|---|---|
Account Modified | The account granted the logon right |
Access Granted | The type of logon right granted |
Subject\Account Name | The account that made the change |