RE: Security concern - How to read event viewer security line item
- From: S. Ahmed <SAhmed@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 1 Nov 2006 20:11:02 -0800
There are many services running under LOCAL SYSTEM. Can you be litle more
descriptive ? what services am I looking for ? Are you saying that these
logon logoff events are created by someone trying to get in ?
"bass_player" wrote:
ANONYMOUS LOGON - check any services running under the System user account..
This service may be exploited that's why you see a lot of entries in the
Event Viewer
--
MCP MCDBA MCAD MCSD MCT MCTS:SQL Server 2005
"Helping people grow and develop their full potential as God has plan for
them"
"S. Ahmed" wrote:
hi.
The following are few of thousand of items i see in event viewer under
security. All these users are not in office right now (its 9:39pm right now)
and I am sure they are not trying to connect via RWW. and what about this
"ANONYMOUS LOGON" ?
Thanks in Advance
PS: how do you check if someone not authorized is trying to get in ?
===============
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/1/2006
Time: 9:33:30 PM
User: EXPRESSMORTGAGE\SCarter
Computer: EMSSERVER
Description:
User Logoff:
User Name: SCarter
Domain: EXPRESSMORTGAGE
Logon ID: (0x0,0x1519E476)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
============================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 11/1/2006
Time: 9:26:37 PM
User: EXPRESSMORTGAGE\FrontDesk$
Computer: EMSSERVER
Description:
Successful Network Logon:
User Name: FrontDesk$
Domain: EXPRESSMORTGAGE
Logon ID: (0x0,0x1517C4AB)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {8c473f76-6c21-2392-085e-a52a353e9957}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.16.12
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=============================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/1/2006
Time: 9:09:39 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: EMSSERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x151113DC)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
==========================
- Follow-Ups:
- RE: Security concern - How to read event viewer security line item
- From: bass_player
- RE: Security concern - How to read event viewer security line item
- References:
- Security concern - How to read event viewer security line items ?
- From: S. Ahmed
- RE: Security concern - How to read event viewer security line items ?
- From: bass_player
- Security concern - How to read event viewer security line items ?
- Prev by Date: Re: VPN GP in SBS 2003?
- Next by Date: Second server in two days where ISA does not play well
- Previous by thread: RE: Security concern - How to read event viewer security line items ?
- Next by thread: RE: Security concern - How to read event viewer security line item
- Index(es):
Relevant Pages
|
