Security concern - How to read event viewer security line items ?

From: S. Ahmed <SAhmed@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 1 Nov 2006 18:47:02 -0800

hi.

The following are few of thousand of items i see in event viewer under
security. All these users are not in office right now (its 9:39pm right now)
and I am sure they are not trying to connect via RWW. and what about this
"ANONYMOUS LOGON" ?

Thanks in Advance
PS: how do you check if someone not authorized is trying to get in ?
===============

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/1/2006
Time: 9:33:30 PM
User: EXPRESSMORTGAGE\SCarter
Computer: EMSSERVER
Description:
User Logoff:
User Name: SCarter
Domain: EXPRESSMORTGAGE
Logon ID: (0x0,0x1519E476)
Logon Type: 3

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
============================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 11/1/2006
Time: 9:26:37 PM
User: EXPRESSMORTGAGE\FrontDesk$
Computer: EMSSERVER
Description:
Successful Network Logon:
User Name: FrontDesk$
Domain: EXPRESSMORTGAGE
Logon ID: (0x0,0x1517C4AB)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {8c473f76-6c21-2392-085e-a52a353e9957}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.16.12
Source Port: 0

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=============================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/1/2006
Time: 9:09:39 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: EMSSERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x151113DC)
Logon Type: 3

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
==========================

.

Follow-Ups:
- RE: Security concern - How to read event viewer security line items ?
  - From: bass_player
- RE: Security concern - How to read event viewer security line items ?
  - From: S. Ahmed

Prev by Date: Re: Promotional Software
Next by Date: Re: Exchange forward to Hotmail not working?
Previous by thread: Re: Promotional Software
Next by thread: RE: Security concern - How to read event viewer security line items ?
Index(es):
- Date
- Thread

Relevant Pages

RE: Security concern - How to read event viewer security line item
... This also applies to Windows Server 2003/SBS 2003 ... User Logoff: ... see Help and Support Center at ... Successful Network Logon: ...
(microsoft.public.windows.server.sbs)
Two problems, not sure if they are related...
... Successful Network Logon: ... see Help and Support Center at ... User Logoff: ... duplicate events are doing every 12 minutes please??? ...
(microsoft.public.windows.server.sbs)
Event ID 538 540 and 576
... I have been getting the events posted below in the security log. ... see Help and Support Center at ... Successful Network Logon: ... I changed the server and domain names in the events, ...
(microsoft.public.windows.server.sbs)
RE: Security concern - How to read event viewer security line items ?
... There are 207,680 security events of ... User Logoff: ... see Help and Support Center at ... Successful Network Logon: ...
(microsoft.public.windows.server.sbs)
FW: {RTCProd#003-520-317}Windows Update Support Request
... support policy for Windows NT 4.0 Workstation SP6a. ... The Microsoft Support Lifecycle defines the support policies for all ... This means that after this date, Microsoft would no longer create ... security fixes for this platform, nor automatically post to WU, etc. ...
(NT-Bugtraq)