Re: GPO causing client security logs to fill?

In answer to both of your questions, I am pasting the text from a previous
thread below. In summary we were having a sudden issue with client logon
failures. In this same newsgroup I posted a thread titled "Client Logon
Failure". Below are two sections of text that result from that thread and
from an email which was external to the thread. I am under the impression
that all of this work was for not as I believe the actual problem was a
result of Time32 issues.

In summary, the following was changed. I modified the account lockout
policies as instructed below. This was done in the Group Policy Objects. I
realize that as a rule you are only supposed to change the linked GPO's as
opposed to the actual GPO's themselves. However, I did find an article in the
MS KB that said that account/password items should be changed in the actual
GPO's.

So basically, the Account lockout threshold, account lockout duration and
the account lockout reset where changed. I believe this was changed in both
the Default Domain Policy and the Default Domain Controller Policy.

Also, per recommendations a linked GPO was made to the Default Domain
Controller Policy to set the "required password complexity requirements" to
enabled.

If this is not enough info please let me know.

Thank you both.
_________________________________________________________________________
From: Terence Liu (CS&S) [mailto:v-terliu@xxxxxxxxxxxxx]
Sent: Thursday, June 14, 2007 7:01 AM
To: Don Emerson
Subject: RE: Client Logon Failure (39270465-Client Logon Failure)

Hello Don,

Thank you for kind update.

In your client even log, I find many error message 1053:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 2007-2-10
Time: 14:06:27
User: NT AUTHORITY\SYSTEM
Computer: MARMAC1

Description:

Windows cannot determine the user or computer name. (An internal error
occurred. ). Group Policy processing aborted.

1. I agree with you. This is mostly a virus related issue. The other 2
workstations may infected by virus from this problematic client.

Therefore, how about the step 1#? Do you find any virus from the client?

Please try to install the antivirus on all client computers and SBS, update
the virus definition to latest and perform full virus scan on the computers.
If you do not have anti-virus application installed, you may try:
http://housecall.trendmicro.com/.

2. When you do clean boot on the client computer, you have to logon as
Administrators member account. I suggest you logon the problematic client
with local administrator and then do the clean boot to test.

3. You can try to reboot the client and enter to Safe Mode (with network),
then try to logon domain. Is it fine?

Based on my research, the behavior can happen when the virus activity that
guessed the password, or the machine password is not properly sync between
SBS and internal clients. I suggest we try the following steps to see if we
can resolve this issue:

1. Enable complicated password policy.

Note: The Password Policy need to be configured in Default Domain policy.

We can configure the settings under:

Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

2. Configure account lockout policy.

Generally, it is a best practices suggestion to set the Threshold value to
10 or higher. This is high enough to rule out user error and low enough to
deter hackers, especially when the password complexity policy is enabled.

For medium security requirement, the recommended configurations are:

Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10

For high security requirement, the recommendations are:

Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10

For more information, please refer to:

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

3. Check your firewall to ensure that only the necessary ports are opened.

4. Ensure the above settings have been successfully applied.

1) On the problematic SBS server, please run the following command to
refresh the group policy changes:

GPUPDAGE /FORCE

2) Run SECPOL.MSC and check the above changed password, Account lockout and
auditing policies to see their effective settings, and ensure that the
policies have been applied successfully.

If the policies have been applied successfully, we should have enhanced the
security protection of that server.

5. The issue may occur if the remote SBS server sends broadcast packets to
the network. I suggest you change the "nolmhash" value to "0" in the
following registry key on the SBS server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Reboot the server for this change to take effect and check if the event
does not appear.

6. If the event still appears, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Parameters
and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
Reboot the server and check if everything is OK.

7. There are several running processes on the computer that will attempt to
connect using the machine account.

This behavior can happen when the machine password is not properly sync.

In order to reset the machine account password of a domain controller use:

NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*

The syntax of this command is:

NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password |
*]

NETDOM RESETPWD Resets the machine account password for the domain controller
on which this command is run. Currently there is no support for resetting
the machine password of a remote machine or a member server. All parameters
must be specified.

/Server Name of a specific domain controller that should have its

machine account password reset.

/UserD User account used to make the connection with the domain

controller specified by the /Server argument.

/PasswordD Password of the user account specified with /UserD. A *
means

to prompt for the password

After completing the command, reboot the server.

If we can not resolve the issue after we perform the above steps, please
kindly help me collect some information for further investigation:

Please send the Server Performance report to me.

Hope these steps will give you some help.

Thanks and have a nice day!

Terence Liu

________________________________________________________________________
Hello Customer,

Thank you for posting here.

According to your description, I understand that you notice that one of the
client computer have several logon failures through a day. If I have
misunderstood the problem, please don't hesitate to let me know.

First, please let me know:

1. Does this problem happen every day?
2. How do you notice the logon failures?

Based on my research, the virus or 3rd-party software may relate to this
issue. I suggest we try the following steps to see if we can resolve this
issue:

1. Please try to install the antivirus on this client computer, update the
virus definition to latest and perform full virus scan on the computers. If
you do not have anti-virus application installed, you may try:
http://housecall.trendmicro.com/.

2. Please do a clean boot on the client computer to narrow down this issue:

To clean boot the problematic computer, please use the steps below:
a. Click Start, click Run, and then in the Open box, type "MSCONFIG"
(without the quotation marks). Click OK.

b. In the System Configuration Utility (MSConfig) window, click to select
the Selective Startup button.

c. Click to clear the check mark from the "Load startup items" below
Selective Startup.

d. Click the Services tab, click to check the "Hide All Microsoft Services"
box, and remove all the check marks from the remained Non-Microsoft
Services.

e. Click OK to close the MSConfig window. Click Yes when you are asked to
restart your computer in order to enable the changes.

f. After restarting, please check whether this issue will reoccur.

g. If there are no more problems, please use the above steps to enable
services and startup items one by one in order to figure out the root cause
of this issue.

If we can not resolve the issue after we perform the above steps, please
kindly help me collect some information for further investigation:

1. Save the application event log and system event log as evt files on the
problematic client machine and send to my mailbox: v-terliu@xxxxxxxxxxxxx

2. Save the application event log and system event log as evt files on the
SBS and send to my mailbox: v-terliu@xxxxxxxxxxxxx

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Client Logon Failure
| thread-index: AceeyspRP2c/vltjSTyyzeI6Z2vgUA==
| X-WBNR-Posting-Host: 207.46.19.168
| From: =?Utf-8?B?TEREMTU=?= <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <D861F3BC-6D38-4DB2-88C1-F430A757C095@xxxxxxxxxxxxx>
<#8b54B8mHHA.3888@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Client Logon Failure
| Date: Fri, 25 May 2007 05:47:01 -0700
| Lines: 39
| Message-ID: <8B390A42-8D8A-465B-A70F-1D79E0B13C39@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:39358
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| You mentioned validating the port attempts. How else can I do this? I
| installed Defender on that machine and ran a quick scan and found
nothing. I
| will run a full scan tonight.
|
| How can I determine where the attempts are actually coming from?
|
| "Cris Hanna [SBS-MVP]" wrote:
|
| > What are you running for spyware defense on the workstations...
| > This may not be a virus...per se and therefore not being picked up
| >
| > If you are not running it...install Windows Defender (free) on the
| > workstation and run full scan.
| >
| > You may windup flattening that machine to be sure its clean with this
kind
| > of issue unless you can validate those are valid port attempts.
| >
| > --
| > Cris Hanna [SBS-MVP]
| > -------------------------------------------------
| > Microsoft MVPs
| > Independent Experts (MVPs do not work for MS)
| > Real World Answers
| > ---------------------------------------------------------
| > Please do not contact me directly regarding issues
| >
| > "LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| > news:D861F3BC-6D38-4DB2-88C1-F430A757C095@xxxxxxxxxxxxxxxx
| > > We have a SBS2003 network. A couple of days ago I noticed that one of
the
| > > clients, or at least one consistent IP address, has been having
several
| > > (5-15) logon failures throughout the day. This occurs at various
times and
| > > through many various ports such as 3166, 0, 3223, 3273, 3406, etc.
How can
| > > I
| > > locate what is happening here, aside from running a virus scan?
| > >
| > > Thanks.
| >
| >
| >
|
______________________________________________________________________________________

"kj" wrote:

LDD15 wrote:
Do you have any idea why this would have changed? We have had this
system set up for several years and never had this issue. As I
mentioned, I had to make a policy change the other day and I'm sure
it results from that.

What bothers me is that if this policy, Computer Config/Windows
Settings/Security Settings/Event Log/Maximum Security Log Size was
not set before then why is it a problem now? Is it that there are
more events and if so why or more specifically is there a security
issue?

"Lanwench [MVP - Exchange]" wrote:

There are many different reasons that this may be an issue now and wasn't
before. First, what change did you make and to what policy object?



"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:152CF5A9-7EAE-479D-A9B7-9DBF1409859A@xxxxxxxxxxxxxxxx
rsop.msc shows eventlog settings as not defined. So is the 512kb a
windows default?

I guess so. I always tweak mine so I can't look anything up from
here.


"Lanwench [MVP - Exchange]" wrote:


"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:77D4DADD-7CA0-482B-A538-8F5FFFC805C1@xxxxxxxxxxxxxxxx
On our SBS2003 network the security logs on several of our
clients are filling quickly. This is causing a problem where
users can't logon because
they receive an error indicating that "the security log is full
and only
the
admin can logon to fix the problem".
This began after a change was made to
the group policies.

Do you know what exactly those changes were?

It appears that the two most problematic computers are those that
are logged
into from other computers. Specifically, one of them has a printer
attached
and the other is a server for our accounting program.

The event ID's are as follows 515, 528, 538, 540, 552, 576, 680,
858

When I view the event logs through server management the
properties for the
security event log indicate that it is to overwrite messages
older than 7
days. In one case the log is full with only two days worth of
events. Of
course this is the PC that is the accounting server.

I assume that this is as a result of a GPO change. I also assume
that with
the change either the log clearing properites were unknowingly
changed or
a
change was made with regard to what is recorded in the log.
Unfortunately,
I
don't really know what items to look at or which ones are safe to
change.

All event logs should be set to a decent size (about 20MB at
minimum, more
on the server esp for app/system), and set for "overwrite as
needed".

This can be controlled via GPO -

computer config\windows settings\security settings\event log

....but I'd run an rsop.msc on one of the problem computers to see
what's been set, and from where.

--
/kj



.