4718 System security access was removed from an account
Written when a logon right to the system is removed from an account. Paired with grant 4717, it tracks the evolution of logon rights.
Overview
The subcategory is Audit Authentication Policy Change. It is generated when the local logon user-rights policy is changed and a logon right is removed from an account. If removed from multiple accounts, one event appears per account.
How it is triggered
- When a right such as network logon, allow Remote Desktop, or log on as a service is removed from an account.
- A change via Local Security Policy / Group Policy.
Security review points
- Removing a logon right needed for operations or defense can make legitimate accounts or services unable to access. Removing “Log on as a service” from a service account stops its resident processing.
- An attacker may also remove rights as part of disrupting a particular account’s legitimate access or altering configuration. Together with grant 4717, track who removed which logon right.
Notes for log review
- It also occurs during legitimate rights reviews. Alert narrowed to important logon rights and target accounts.
- Together with grant 4717 and user-rights changes 4704/4705, treat it at high priority as an access-rights change.
Key fields
| Field | Meaning |
|---|---|
Account Modified | The account the logon right was removed from |
Access Removed | The type of logon right removed |
Subject\Account Name | The account that made the change |