Re: Excessive Security Success audits
- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
- Date: Thu, 31 May 2007 13:05:27 -0700
Now granted I have object access kicked up ...but I have 627,844 events over a 5 day period.
steve s wrote:
So a normal security log will have 150,000 entries over a five day period? We have seven users and about ten devices..
"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
If a machine is on, yes there are normal "pings" to the server.
steve s wrote:
I have read past threads about the event ID #538,540, and 576 being normal log in and log out processes, but I am seeing these postings every minute of every hour. It would seem that at 2am at night we shouldn't have this activity because no one is here and no one is logging in remotely. My log has over 150,000 entries over a five day period. This can't be normal can it? I am also seeing event ID #624 with the following:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management Event ID: 624
Date: 5/31/2007
Time: 4:30:03 AM
User: ROSEHILLCAPITAL\administrator
Computer: 2007SERVER
Description:
User Account Created:
New Account Name: sbsmonacct
New Domain: ROSEHILLCAPITAL
New Account ID: S-1-5-21-3139612681-1260921997-520203349-1195
Caller User Name: administrator
Caller Domain: ROSEHILLCAPITAL
Caller Logon ID: (0x0,0xA1E7C)
Privileges -
Attributes:
Sam Account Name: sbsmonacct
Display Name: <value not set> User Principal Name: -
Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value changed, but not displayed> Sid History: -
Logon Hours: <value not set>
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
______________________________________________________________________
And event ID 552 with the following:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff Event ID: 552
Date: 5/31/2007
Time: 4:30:00 AM
User: NT AUTHORITY\SYSTEM
Computer: 2007SERVER
Description:
Logon attempt using explicit credentials:
Logged on user:
User Name: 2007SERVER$
Domain: ROSEHILLCAPITAL
Logon ID: (0x0,0x3E7)
Logon GUID: {0fffdf39-11ef-7331-378d-e54365cced1b}
User whose credentials were used:
Target User Name: administrator
Target Domain: ROSEHILLCAPITAL
Target Logon GUID: {4af82be1-608a-c06c-e5f4-dc39c94eabe8}
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 1348
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
- References:
- Excessive Security Success audits
- From: steve s
- Re: Excessive Security Success audits
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Excessive Security Success audits
- From: steve s
- Excessive Security Success audits
- Prev by Date: Re: 1 NIC only in SBS 2008???
- Next by Date: Re: Excessive Security Success audits
- Previous by thread: Re: Excessive Security Success audits
- Next by thread: Re: Excessive Security Success audits
- Index(es):
Relevant Pages
|
