RE: Can't get rid of success audits in security portion of event viewer!
- From: v-branee@xxxxxxxxxxxxxxxxxxxx ("Brandy Nee [MSFT]")
- Date: Wed, 01 Mar 2006 03:00:06 GMT
Hello Russ,
Thank you for posting to the SBS Newsgroup.
I understand that you want to disable the success Security Auditing on the
SBS 2K3 Server. if I have misunderstood your concern, please let me know.
SBS 2003 creates a GPO on the Domain Controllers container named Small
Business Server Auditing Policy. Logon Events are audited for Success and
Failure by default. These events can be stopped by turning off Success
logon auditing, although it is not recommended.
Regarding the periodically (50 mins) appearing security event, I suggest
that you copy and paste one here so I can check whether it is normal or
not. To do so:
On the server, run "eventvwr" (without quotation marks), double click check
the success audit event. Click the Copy button and paste the full content
to the Newsgroup. Please do not edit or delete any result.
If you do not want to see such success logon event, you can disable it by
performing following steps (this is not recommended):
NOTE: Please do not performance the steps below before we make sure the
logon security events are normal and can be safely ignored.
1. Click Start->Administrative Tools->Group Policy Management.
2. Expand Forests, Domains, Domain Name and "Domain Controllers".
3. Right click on Small Business Server Auditing Policy and choose Edit.
4. Expand Computer Configuration, Windows Settings, Security Settings,
Local Policies, and Audit Policy.
5. Double click the "Audit account logon events" and "Audit logon events",
and clear the Success check box, so you will configure these polices to log
only failure events.
6. Open a command prompt, run the following command to get the policies
re-applied:
gpupdate /force
For your information:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
Hope it helps. If you have any further questions or concerns on this issue,
please feel free to let me know. I am looking forward to hearing from you!
Best regards,
Brandy Nee
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Russ White" <rwhite04@xxxxxxxxxxxx>viewer!
Subject: Can't get rid of success audits in security portion of event
Date: Tue, 28 Feb 2006 13:19:17 -0500Audit
Lines: 18
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <uTVs3NJPGHA.516@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: rrcs-24-97-237-26.nys.biz.rr.com 24.97.237.26
Path: TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
Xref: TK2MSFTNGXA03.phx.gbl microsoft.public.windows.server.sbs:248181
X-Tomcat-NG: microsoft.public.windows.server.sbs
TIA for help.
SBS2003.
My security event viewer is stuffed w/ success audits -- about 50 a minute.
I want to stop auditing success events.
I have gone to "Domain Controller Security Policy" >> Local Policy >>
Policy >> and set all settings to 'failure' (only)may
and I've gone to "Domain Security Policy" and done the same thing.
A couple days later I looked again (wanted to make sure GP had chance to
update) and the success audits are still being logged. Any idea what I
be missing?
.
- Follow-Ups:
- Prev by Date: RE: CEICW KEEPS GIVING ERRORS
- Next by Date: Re: Client Network settings
- Previous by thread: RE: CEICW KEEPS GIVING ERRORS
- Next by thread: Re: Can't get rid of success audits in security portion of event viewer!
- Index(es):
