RE: Frequent logon success audits in event viewer
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Wed, 09 May 2007 06:03:12 GMT
Hello Jim,
Thank you for posting here.
According to your description, I understand that there are many security
event logs of 540, 538 about success audits on your SBS. If I have
misunderstood the problem, please don't hesitate to let me know.
In SBS 2003, the full security audit is enabled by default so that you are
able to monitor the server and network access events if needed. It's normal
that many logon/logoff events are logged because one logon/logoff procedure
can generate several events. The logon/logoff procedures are always
performed by service startup/shutdown, shared file accessing, network
accessing, users' logon/logoff etc. Event 540 indicates a successful logon;
event 538 indicates a successful logoff and event 576 indicates a
successful special privilege assign. That do not mean some security
problems or some other configuration problems. You may safely ignore these
events.
If you do want to stop these events, you can turn off Success logon
auditing, although it is not recommended. To do so:
1. Open Server Management console
2. Extend Advanced Management->Group Policy Management->Forest:
domain.local->Domains->domain.local->Domain Controllers
3. Right click Small Business Server Auditing Policy, select edit
4. Extend Computer Configuration->Windows Settings->Security
Settings->Local Policies->Audit Policy
5. Double click Audit logon events, please ensure do not tick Success,
click OK
6. Run gpupdate on SBS
More information for your reference:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en
I hope the above information helps. If you have any questions or concerns,
please do not hesitate to let me know.
Have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: jim@xxxxxxx
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Frequent logon success audits in event viewer
| Date: 8 May 2007 07:25:05 -0700
| Organization: http://groups.google.com
| Lines: 54
| Message-ID: <1178634304.932937.215480@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 162.40.99.81
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1178634312 30535 127.0.0.1 (8 May 2007
14:25:12 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Tue, 8 May 2007 14:25:12 +0000 (UTC)
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
NET CLR 1.1.4322; Alexa Toolbar),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: y5g2000hsa.googlegroups.com; posting-host=162.40.99.81;
| posting-account=SptmAw0AAADyhAf5ds6N27aMLeSBOs9C
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!border1.nn
tp.dca.giganews.com!nntp.giganews.com!postnews.google.com!y5g2000hsa.googleg
roups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:35369
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hello, and thanks for your help in advance! -Jim
|
| I believe I have excessive records in my security event log. It
| accumulates about 5000 records an hour. Most are system logon/logoff
| events. I understand I can turn off auditing of successful logon
| events, and I understand how to do that. But I want to know that this
| behaviour is not indicating a security problem or some other
| configuration problem.
|
| Here is an example extracted from the log. 192.168.1.35 is the IP
| address of my server. There were numerous other logon/logoff events
| recorded in the 3-minute time span, I have just captured the three
| events related by the same logon ID:
|
| 5/8/2007,8:59:34 AM,Security,Success Audit,Logon/Logoff ,538,NT
| AUTHORITY\SYSTEM,ACASERVER,"User Logoff:
| User Name: ACASERVER$
| Domain: ACA
| Logon ID: (0x0,0xB5FAD6)
| Logon Type: 3
|
| 5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,540,NT
| AUTHORITY\SYSTEM,ACASERVER,"Successful Network Logon:
| User Name: ACASERVER$
| Domain: ACA
| Logon ID: (0x0,0xB5FAD6)
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name:
| Logon GUID: {2ea2d473-c204-da54-11b7-da31e4d45350}
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 192.168.1.35
| Source Port: 17265
| "
| 5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,576,NT
| AUTHORITY\SYSTEM,ACASERVER,"Special privileges assigned to new logon:
| User Name: ACASERVER$
| Domain: ACA
| Logon ID: (0x0,0xB5FAD6)
| Privileges: SeSecurityPrivilege
| SeBackupPrivilege
| SeRestorePrivilege
| SeTakeOwnershipPrivilege
| SeDebugPrivilege
| SeSystemEnvironmentPrivilege
| SeLoadDriverPrivilege
| SeImpersonatePrivilege
| SeEnableDelegationPrivilege"
|
|
.
- Follow-Ups:
- References:
- Prev by Date: RE: SBS 2003 - Server Manager - Backup
- Next by Date: Re: After a swing comes ?
- Previous by thread: Frequent logon success audits in event viewer
- Next by thread: Re: Frequent logon success audits in event viewer
- Index(es):
Relevant Pages
|
