RE: Large amounts of event id's 538 and 540
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Tue, 16 Jan 2007 10:11:19 GMT
Hello Dave,
Thank you for posting here.
According to your description, I understand that there are many security
event logs of 540, 538 on your SBS. If I have misunderstood the problem,
please don't hesitate to let me know.
In SBS 2003, the full security audit is enabled by default so that you are
able to monitor the server and network access events if needed. It's normal
that many logon/logoff events are logged because one logon/logoff procedure
can generate several events. The logon/logoff procedures are always
performed by service startup/shutdown, shared file accessing, network
accessing, users' logon/logoff etc. Event 540 indicates a successful logon;
event 538 indicates a successful logoff and event 576 indicates a
successful special privilege assign. You may safely ignore these events.
If you do want to stop these events, you can turn off Success logon
auditing, although it is not recommended. To do so:
1. Click Start, click Run, type "gpmc.msc" and click OK.
2. Expand Domains -> your domain -> Domain Controllers.
3. Right-click Small Business Server Auditing Policy and click Edit.
4. Expand Computer Configuration -> Windows Settings -> Security Settings
-> Local Policies -> Audit Policy.
5. In the right pane, double-click Audit logon events and clear the Success
check box. Click OK.
6. Run "gpupdate /force".
SBS 2003 creates a GPO on the DC container named Small Business Server
Auditing Policy. Logon Events are audited for Success and Failure by
default. Every time the server accesses a resource, a logon event is
recorded.
To get around this, we can remove Success auditing from the policy and ran
command gpupdate.
1. Open Server Management console
2. Extend Advanced Management->Group Policy Management->Forest:
domain.local->Domains->domain.local->Domain Controllers
3. Right click Small Business Server Auditing Policy, select edit
4. Extend Computer Configuration->Windows Settings->Security
Settings->Local Policies->Audit Policy
5. Double click Audit logon events, please ensure do not tick Success,
click OK
6. Run gpupdate on SBS
More information:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
I hope the above information helps. If you have any questions or concerns,
please do not hesitate to let me know.
Have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Large amounts of event id's 538 and 540
| thread-index: Acc4wtKF7LvUOXr+Rp2rNahfYY7+zw==
| X-WBNR-Posting-Host: 68.144.66.111
| From: =?Utf-8?B?RGF2ZSBDYXNvbg==?= <Dave Cason@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Large amounts of event id's 538 and 540
| Date: Mon, 15 Jan 2007 08:33:01 -0800
| Lines: 11
| Message-ID: <3168F621-A23E-4430-A671-5EFBBB73C94E@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:10318
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi,
|
| Can anyone tell me why I would have several hundred Event ID 538 and
540's
| in my Security Log for one user in 1 day?
|
| They do not login or logout everyday, only about once a week, but the
| security
| logs show 538's and 540's for each user many times.
|
| Cheers'
| Dave
|
.
- Prev by Date: Re: WM5 can not sync to exchange
- Next by Date: Meeting Invites
- Previous by thread: OWA in FTP directory mode
- Next by thread: Meeting Invites
- Index(es):
Relevant Pages
|
