Security audit failures - any idea why?

From: Eugene Tan (insights-[dropthis)
Date: 04/05/04 

Date: Mon, 5 Apr 2004 13:15:12 +0800

hi,

Some of my customers with SBS2k have these security audit failures in the
EventLog. Many have audit success msgs, but some have failures as per
Log below. The setups are similar, with a mix of Win2k and WinXP with
most PCs being win2k.

I've applied that patch for winXP in a SBS2k network, but it didn't make
any diff in these msgs. However, the patch did appear to alleviate the
symptom of taking 10 secs or longer to save a simple Word doc file.

On this SBS2k concerned, I've disabled Sign comms when possible/always
both, but secure comms part of Security policies is unchanged, and this was
done in Domain and Domain controller policies.

TIA,
Eugene Tan
-
Log extract from 1st Apr onwards follows:
-
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 617
Date: 1/4/04
Time: 7:53:26 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Kerberos Policy Changed:
 Changed By:
  User Name: SERVER$
  Domain Name: FTK
  Logon ID: (0x0,0x3E7)
 Changes made:
 ('--' means no changes, otherwise each change is shown as:
 <ParameterName>: <new value> (<old value>))
 KerLogoff: 0x764920b20062f88c (0x764920b2005af88c);
 ---
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 1/4/04
Time: 5:52:40 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Service Ticket Request Failed:
  User Name: SERVER$
  User Domain: FTK.LOCAL
  Service Name: krbtgt/FTK.LOCAL
  Ticket Options: 0x2
  Failure Code: 0x20
  Client Address: 127.0.0.1
 ---
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 1/4/04
Time: 6:07:15 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Service Ticket Request Failed:
  User Name: PC4$
  User Domain: FTK.LOCAL
  Service Name: krbtgt/FTK.LOCAL
  Ticket Options: 0x2
  Failure Code: 0x20
  Client Address: 192.168.16.121
 ---
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 1/4/04
Time: 6:07:15 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Service Ticket Request Failed:
  User Name: PC4$
  User Domain: FTK.LOCAL
  Service Name: krbtgt/FTK.LOCAL
  Ticket Options: 0x2
  Failure Code: 0x20
  Client Address: 192.168.16.121
 ---
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 1/4/04
Time: 6:17:58 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
  Reason: An unexpected error occurred during logon
  User Name:
  Domain:
  Logon Type: 3
  Logon Process: Kerberos
  Authentication Package: Kerberos
  Workstation Name: - 

---
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 617
Date:  2/4/04
Time:  8:12:00 AM
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Kerberos Policy Changed:
 Changed By:
  User Name: SERVER$
  Domain Name: FTK
  Logon ID: (0x0,0x3E7)
 Changes made:
 ('--' means no changes, otherwise each change is shown as:
 <ParameterName>: <new value> (<old value>))
 KerLogoff: 0x764920b20152f88c (0x764920b20062f88c);
 ---
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date:  2/4/04
Time:  8:16:09 AM
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Service Ticket Request Failed:
  User Name:
  User Domain:
  Service Name: krbtgt/FTK.LOCAL
  Ticket Options: 0x2
  Failure Code: 0x20
  Client Address: 192.168.16.20
 ----
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date:  2/4/04
Time:  9:48:05 AM
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Pre-authentication failed:
  User Name:  joyce
  User ID:  FTK\joyce
  Service Name:  krbtgt/FTK
  Pre-Authentication Type: 0x2
  Failure Code:  0x18
  Client Address:  192.168.16.10
 ---
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date:  2/4/04
Time:  1:56:03 PM
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Pre-authentication failed:
  User Name:  Tsc
  User ID:  FTK\Tsc
  Service Name:  krbtgt/FTK
  Pre-Authentication Type: 0x2
  Failure Code:  0x18
  Client Address:  192.168.16.229
 ---
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date:  2/4/04
Time:  1:56:10 PM
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Pre-authentication failed:
  User Name:  Tsc
  User ID:  FTK\Tsc
  Service Name:  krbtgt/FTK
  Pre-Authentication Type: 0x2
  Failure Code:  0x18
  Client Address:  192.168.16.229

Relevant Pages

  • Re: Security audit failures - any idea why?
    ... > Some of my customers with SBS2k have these security audit failures in the ... Many have audit success msgs, but some have failures as per ... > Event Type: Success Audit ... > Event Type: Failure Audit ...
    (microsoft.public.windows.server.sbs)
  • Re: How to determine who changed permissions on a directory?
    ... I used the "Security Monitoring and Attack Detection Planning Guide" from ... Audit Account Logon events - Success, Failure ... Audit Object Access - Success, ...
    (microsoft.public.security)
  • Re: How to determine who changed permissions on a directory?
    ... I used the "Security Monitoring and Attack Detection Planning Guide" from ... Audit Account Logon events - Success, Failure ... Audit Object Access - Success, ...
    (microsoft.public.security)
  • Re: evnet id 560
    ... If you audit success and failure ... >> every few seconds i get a failure audit in the security ...
    (microsoft.public.win2000.security)
  • no audit of logon events in xp home?
    ... i want to turn of the audit of logon events in winxp home. ... Event Type: Failure Audit ...
    (microsoft.public.windowsxp.security_admin)
Loading