Re: Security Logon/Logoff Events
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Fri, 12 Jan 2007 11:46:24 GMT
Hello Jon,
Thank you for kind update.
Yes, there are many security event logs of 540, 538, 576. However, I did
not find any related application error or system error, so you can safely
ignore these events.
In SBS 2003, the full security audit is enabled by default so that you are
able to monitor the server and network access events if needed. It's normal
that many logon/logoff events are logged because one logon/logoff procedure
can generate several events. The logon/logoff procedures are always
performed by service startup/shutdown, shared file accessing, network
accessing, users' logon/logoff etc. Event 540 indicates a successful logon;
event 538 indicates a successful logoff and event 576 indicates a
successful special privilege assign. You may safely ignore these events.
If you do want to stop these events, you can turn off Success logon
auditing, although it is not recommended. To do so:
1. Click Start, click Run, type "gpmc.msc" and click OK.
2. Expand Domains -> your domain -> Domain Controllers.
3. Right-click Small Business Server Auditing Policy and click Edit.
4. Expand Computer Configuration -> Windows Settings -> Security Settings
-> Local Policies -> Audit Policy.
5. In the right pane, double-click Audit logon events and clear the Success
check box. Click OK.
6. Run "gpupdate /force".
SBS 2003 creates a GPO on the DC container named Small Business Server
Auditing Policy. Logon Events are audited for Success and Failure by
default. Every time the server accesses a resource, a logon event is
recorded.
To get around this, we can remove Success auditing from the policy and ran
command gpupdate.
1. Open Server Management console
2. Extend Advanced Management->Group Policy Management->Forest:
domain.local->Domains->domain.local->Domain Controllers
3. Right click Small Business Server Auditing Policy, select edit
4. Extend Computer Configuration->Windows Settings->Security
Settings->Local Policies->Audit Policy
5. Double click Audit logon events, please ensure do not tick Success,
click OK
6. Run gpupdate on SBS
More information:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
I hope the above information helps. If you have any questions or concerns,
please do not hesitate to let me know.
Have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Jon Lewis" <jon.lewis<nospam>@btinternet.com>
| References: <uzHCCxONHHA.4992@xxxxxxxxxxxxxxxxxxxx>
<kf04deVNHHA.2080@xxxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Security Logon/Logoff Events
| Date: Thu, 11 Jan 2007 10:22:40 -0000
| Lines: 179
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| Message-ID: <ukf#vpWNHHA.1240@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: host81-130-202-78.in-addr.btopenworld.com 81.130.202.78
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:9530
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thank you Terence
|
| I haven't yet set password policy or configured account lockout policy so
I
| will do that in due course to fully secure the server. The majority of
the
| security events that are being recorded are generated from the server
| itself, mainly logon, logoff and privilege assignment events 540, 538, 576
|
| The client computer is not an issue here. I meant that only one client
| computer was logged on the system at the time of my post i.e. there was
very
| little network activity. So my query refers to the server itself.
|
| This is our brand new installation of SBS 2003 R2 Premium which includes
ISA
| which I set up with the relevant wizards so I doubt whether it would be
| necessary to alter any of the default ISA settings.
|
| I have sent the event logs (of the server) to you (zipped). Please let
me
| know whether you think the frequency of the security events is normal.
Our
| network is server and five client computers (all XP SP2 fully up to date).
|
| Many thanks for your help.
|
| Jon Lewis
|
| "Terence Liu [MSFT]" <v-terliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:kf04deVNHHA.2080@xxxxxxxxxxxxxxxxxxxxxxxxx
| > Hello Jon,
| >
| > Thank you for your post.
| >
| > According to your description, I understand that you get many
logon/logoff
| > event logs on SBS. If I have misunderstood the problem, please don't
| > hesitate to let me know.
| >
| > Generally, there really have many logon and logoff actions on SBS, for
| > example, there is a GPO "Small Business Server Auditing Policy" on the
SBS
| > Server to audit logon events.
| >
| > Just for your reference, the following are some common suggestions for
| > securing the server.
| >
| > 1. Enable complicated password policy.
| >
| > Note: The Password Policy need to be configured in Default Domain
policy.
| >
| > We can configure the settings under:
| >
| > Computer Configuration\Windows Settings\Security Settings\Account
| > Policies\Password Policy
| >
| > 2. Configure account lockout policy.
| >
| > Generally, it is a best practices suggestion to set the Threshold value
to
| > 10 or higher. This is high enough to rule out user error and low enough
to
| > deter hackers, especially when the password complexity policy is
enabled.
| >
| > For medium security requirement, the recommended configurations are:
| >
| > Reset account lockout counter after: 30
| > Account lockout duration: 30
| > Account Lockout Threshold: 10
| >
| > For high security requirement, the recommendations are:
| >
| > Reset account lockout counter after: 30
| > Account lockout duration: 0
| > Account Lockout Threshold: 10
| >
| > For more information, please refer to:
| >
| > Account Passwords and Policies
| >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
| > security/bpactlck.mspx
| >
| > 3. Check your firewall to ensure that only the necessary ports are
opened.
| >
| > Important: I strongly suggest you to close port 425.
| >
| > 4. Ensure the above settings have been successfully applied.
| >
| > 1) On the problematic SBS server, please run the following command to
| > refresh the group policy changes:
| >
| > GPUPDAGE /FORCE
| >
| > 2) Run SECPOL.MSC and check the above changed password, Account lockout
| > and
| > auditing policies to see their effective settings, and ensure that the
| > policies have been applied successfully.
| >
| > 5. Please install latest service patch and apply all update on this
| > problematic client.
| >
| > 6. Please install Antivirus software on this client, and do a full scan.
| >
| > If the issue persists, please kindly help me collect some information
for
| > further investigation:
| >
| > Save the application event log, security log and system event log as evt
| > files on the problematic machine and send to my mailbox:
| > v-terliu@xxxxxxxxxxxxx
| >
| > Thank you for your time and cooperation!
| >
| > Hope these steps will give you some help.
| >
| > Thanks and have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "Jon Lewis" <jon.lewis<nospam>@btinternet.com>
| > | Subject: Security Logon/Logoff Events
| > | Date: Wed, 10 Jan 2007 19:19:35 -0000
| > | Lines: 10
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <uzHCCxONHHA.4992@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: host81-130-202-78.in-addr.btopenworld.com
| > 81.130.202.78
| > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:9414
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I have one client (the one I'm sending this message from) currently
| > logged
| > | onto our new SBS2003R2 server. The EventLog is constantly recording
| > | thousands of System LogOn/LogOff events sometimes 80 per second. They
| > are
| > | all successfull and I can see from Googling that Logon/Logoffs happen
| > all
| > | the time but 80 per second!!!???? I know I can disable recording
these
| > | events but am concerned that so many are being generated. Should I
be?
| > |
| > | TIA
| > |
| > |
| > |
| >
|
|
|
.
- References:
- Security Logon/Logoff Events
- From: Jon Lewis
- RE: Security Logon/Logoff Events
- From: Terence Liu [MSFT]
- Re: Security Logon/Logoff Events
- From: Jon Lewis
- Security Logon/Logoff Events
- Prev by Date: Re: SQL 2005 and CRM 3.0
- Next by Date: What speed Windows COM port
- Previous by thread: Re: Security Logon/Logoff Events
- Next by thread: ISA 2004
- Index(es):
Relevant Pages
|
