Re: obscure logon events?

From: "John Alborn" <roberta3002@xxxxxxxxx>
Date: Fri, 5 Aug 2005 01:51:22 +0300

Hello Brandy,

Thanks for the links. These don't explain reason of these event entries.
>From event log:
Logon even: 540 A user successfully logged on to a network.
Logon Type 3 means accessing system via Network.
Both events aren't true. No person logged on nor PC. There even isn't such
an account in any local PC.

Most likely these are generated by some SBS2003 regular service checking
existence of accounts or similar.
I'm worried if these may be a security risk?

Also these regular event entries make it veeery troublesome to find the
"real" log on entries, which might be of first interest.
(as 99% are not "real" log on entries)

Tia,
John

""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:$BO%23QFMmFHA.3672@xxxxxxxxxxxxxxxxxxxxxxxx
> Hello John,
>
> Thank you for posting to the SBS Newsgroup.
>
> I understand that on the SBS 2K3 Premium edition server, you notice that
> there are many Logon Type 3 events in the Event Viewer. You want to know
> which user logs on the server remotely. If I have misunderstood your
> concern, please let me know.
>
> Please see my following information:
>
> 1> Logon Type 3 means accessing system via Network. Please see the
comments
> in the following KB article:
>
> Auditing User Authentication
> http://support.microsoft.com/?id=174073
>
> Event Message:
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/w2kmsgs/545
> 9.asp
>
> 2> Logon Type 10 means that User logged on to the computer remotely using
> Terminal Services or Remote Desktop. Please see:
>
> Audit logon events
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
> rHelp/e104c96f-e243-41c5-aaea-d046555a079d.mspx
>
> 3> When client logging on the server remotely, the Source Network Address
> shows the SBS server IP address as expected. If client logs on the local
> client workstation, then the Source Network Address will show the client
> workstation IP address.
>
> So the conclusion is: You can safely ignore this event log and it should
be
> harmless to the system.
>
> Hope this information helps. If anything is unclear, please let me know. I
> am looking forward to hearing from you!
>
> Best regards,
>
> Brandy Nee
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>
> --------------------
> >From: "John Alborn" <roberta3002@xxxxxxxxx>
> >Subject: obscure logon events?
> >Date: Wed, 3 Aug 2005 21:50:13 +0300
> >Lines: 52
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> >Message-ID: <#s65mwFmFHA.1372@xxxxxxxxxxxxxxxxxxxx>
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: 213-35-164-57-dsl.kjj.estpak.ee 213.35.164.57
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:141194
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Hello,
> >
> >SBS2003 Premium.
> >
> >While trying to figure out if one user has been loggen in remotely
(through
> >remote desktop)
> >I noticed that security event log has entries for this user almost every
3-
> >4 hours ...
> >According to logon type : Logon Type: 3
> >it looks like from network. In fact IP is of the same PC where SBS 2003
> >runs.
> >What's the meaning of such an entry?
> >Is it normal?
> >How can I check easily if some user has been using remote connection?
> >
> >Tia
> >John
> >
> >
> >Event log entry:
> >
> >Event Type: Success Audit
> >Event Source: Security
> >Event Category: Logon/Logoff
> >Event ID: 540
> >Date: 03.08.2005
> >Time: 02:42:54
> >User: RIO\romsete
> >Computer: Rogxxxx-8U9TE9M
> >Description: Successful Network Logon:
> > User Name: romsete
> > Domain: RIO
> > Logon ID: (0x0,0x86E390)
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name:
> > Logon GUID: {1cbe0079-3403-87b2-af21-38b3290198d9}
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 192.168.21.161
> > Source Port: 0
> >
> >
> >For more information, see Help and Support Center at
> >http://go.microsoft.com/fwlink/events.asp.
> >
> >
> >
> >
>

.

Follow-Ups:
- Re: obscure logon events?
  - From: "Brandy Nee [MSFT]"

References:
- obscure logon events?
  - From: John Alborn
- RE: obscure logon events?
  - From: "Brandy Nee [MSFT]"

Prev by Date: Re: ByPassing Proxy for Certain Web Addresses
Next by Date: Re: Routing incoming faxes to Sharepoint on second server
Previous by thread: RE: obscure logon events?
Next by thread: Re: obscure logon events?
Index(es):
- Date
- Thread

Relevant Pages

Re: Security event id 537
... Logon Failure. ... From the detail in the event log, the error code 0x80090308 can translated ... You can get the network monitor from the following link and install ...
(microsoft.public.windows.server.sbs)
RE: Auditing enabled but Logon Failures not showing up
... Client tries to logon to domain. ... Unsuccessful logon does NOT show in DC's event log. ... Successful and Unsuccessful logons show in DC's event log. ... Better Management for Network Security ...
(Focus-Microsoft)
Re: DOS logon Windows Server 2003
... may not have permission to use some network resources" ... other users logon i can see entries - so I think there might go something ... wrong with the logon process.. ... TCPIP bootable instead of using NetBEUI? ...
(microsoft.public.windows.server.networking)
Re: No Logon Servers Available error message
... event log. ... that it is the master browser for the domain on transport ... There are currently no logon ... >> I went to the network places, clicked on entire network, ...
(microsoft.public.win2000.networking)
Logon identificaton
... If I want to determine where and how a user has logon on ... to the network in the event log what am I looking for? ... same user logons from a VPN session from his computer at ...
(microsoft.public.windows.server.networking)