RE: Security audit & Domain Controller security
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx (Crina Li (MSFT))
- Date: Mon, 08 Aug 2005 07:42:56 GMT
Hi Dan,
Thanks for your updating!
In SBS 2003, the full security audit is enabled by default so that you are
able to monitor the server and network access events if needed. It's normal
that many logon/logoff events are logged because one logon/logoff procedure
can generate several events. The logon/logoff procedures are always
performed by service startup/shutdown, shared file accessing, network
accessing, users'' logon/logoff etc. Event 540 indicates a successful
logon; event 538 indicates a successful logoff and event 576 indicates a
successful special privilege assign. You may safely ignore these events.
In addition, if you do want to stop these events, you can turn off Success
logon auditing, although it is not recommended. To do so:
1. Click Start, click Run, type "gpmc.msc" and click OK.
2. Expand Domains -> your domain -> Domain Controllers.
3. Right-click Small Business Server Auditing Policy and click Edit.
4. Expand Computer Configuration -> Windows Settings -> Security Settings
-> Local Policies -> Audit Policy.
5. In the right pane, double-click Audit logon events and clear the Success
check box. Click OK.
6. Run "gpupdate /force".
For more detailed information regarding these events, please refer to the
following:
http://www.eventid.net/display.asp?eventid=680&source=security
http://www.eventid.net/display.asp?eventid=540&source=security
http://www.eventid.net/display.asp?eventid=538%2C&source=security
http://www.eventid.net/display.asp?eventid=576&source=security
822774 System Performance Decreases, and Many Event ID 576 Entries Are
Logged
http://support.microsoft.com/?id=822774
Regarding if the server is used as an open reply, you may check it
referring to the following KB articles:
260973 Setting up SMTP domains for inbound and relay e-mail in Exchange 2000
http://support.microsoft.com/?id=260973
895853 How to troubleshoot mail relay issues in Exchange Server 2003 and in
http://support.microsoft.com/?id=895853
310380 How To Prevent Exchange 2000 from Being Used as a Mail Relay in
Windows
http://support.microsoft.com/?id=310380
For more information on logon type, refer to the document below:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/
win32_logonsession.asp
More information:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
I hope the above information helps. If you have any questions or concerns,
please do not hesitate to let me know.
Thanks for your time and I look forward to your reply.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Security audit & Domain Controller security
| | From: =?Utf-8?B?RGFuIFNoYWxsYmV0dGVy?=
<DanShallbetter@xxxxxxxxxxxxxxxxxxxxxxxxx>
| | Subject: RE: Security audit & Domain Controller security
| Date: Fri, 5 Aug 2005 05:58:24 -0700
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| Hello
|
| I currently have 164,000 events in my security folder. The time frame is
| covering the last 2 days. The event ID are mostly 680, 540, 538, 576.
They
| are all success audit types. They seem to happen at differing time
intervals
| for different users. SBS2003 premium, 20 users. I have not applied SP1
yet.
| Would this be an indication of my server being used as an open relay?
|
| Thank You,
|
| Dan
|
|
.
- References:
- Security audit & Domain Controller security
- From: Dan Shallbetter
- RE: Security audit & Domain Controller security
- From: Crina Li (MSFT)
- RE: Security audit & Domain Controller security
- From: Dan Shallbetter
- RE: Security audit & Domain Controller security
- From: Crina Li (MSFT)
- RE: Security audit & Domain Controller security
- From: Dan Shallbetter
- Security audit & Domain Controller security
- Prev by Date: Re: Fresh sbs install needed?
- Next by Date: RE: Email Issues, SBS Server 2003 Pro
- Previous by thread: RE: Security audit & Domain Controller security
- Next by thread: SBS2003 and stand alone ISA2004
- Index(es):
Relevant Pages
|
