RE: Unusual logon / logoff Security event log

---

• From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
• Date: Wed, 05 Dec 2007 09:46:58 GMT

---

Hi Smiley,

Thanks for posting in our newsgroup.

Based on my research, 540, 538, 608 may not indicate you have security risk
because they are success events. I tested and found there are lots of such
events in my test machine. The following are the related information about
the events:

540: This message includes the user name and the domain information of the
user account that was logged on, the name of the logon process that logged
the user on, the type of authentication credentials that were presented,
and a logon GUID (globally unique identifier).

538: The event appears when user logon or logoff.

608: This event record indicates that a specific right was assigned to the
identified user.

More info:

Message Details:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%
20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033

To research on the logon type difference, please help me collect the
following information and I need to do deep research. Thanks for your time
and patience.

MPS Report

1) Download MPS report tool from:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_SETUPPerf.EXE
2) Run the MPSRPT_SETUPPerf.exe on the server box.
3) Wait for 10~15 minutes.
4) Open Windows explorer, navigate to
%SYSTEMROOT%\MPSReports\Setup\Reports\cab\
5) Send the .cab file to v-robeli@xxxxxxxxxxxxx with subject:
41079378-Unusual logon / logoff Security event log.

In addition, please implement Strong password policies in your network to
prevent the hackers access your system. To do this:

Open Server Management console, navigate to Users snap-in. In the right
panel, click ''Configure Password Policies''. Enable the password policies.

1. Password must meet minimum length requirements.
2. Password must meet complexity requirements.
3. Password must be changed regularly.
4. Configure password policies: Immediately.

More info:

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
8501-b4f680280f71&displaylang=en


I am looking forward to hear from you.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<From: "Smiley" <firework123@xxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: Unusual logon / logoff Security event log
<Date: Tue, 4 Dec 2007 10:45:54 -0000
<Lines: 22
<Message-ID: <fj3b53$cua$1$8300dec7@xxxxxxxxxxxxxxxx>
<NNTP-Posting-Host: blueandmiko1.demon.co.uk
<X-Trace: news.demon.co.uk 1196765155 13258 80.177.109.206 (4 Dec 2007
10:45:55 GMT)
<X-Complaints-To: abuse@xxxxxxxxx
<NNTP-Posting-Date: Tue, 4 Dec 2007 10:45:55 +0000 (UTC)
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
<X-Priority: 3
<X-RFC2646: Format=Flowed; Original
<X-Antivirus: avast! (VPS 071203-0, 03/12/2007), Outbound message
<X-MSMail-Priority: Normal
<X-Antivirus-Status: Clean
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
<Bytes: 1853
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
m!news.glorb.com!peer1.news.newnet.co.uk!194.159.246.34.MISMATCH!peer-uk.new
s.demon.net!kibo.news.demon.net!mutlu.news.demon.net!news.demon.co.uk!demon!
not-for-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:79902
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi there,
<
<Has this repeat entries of event ID 540, 538, 608 in a row for particular
<user.
<
<Another preculiar is for example event ID 540, On the event id, the logon
<type said 3, however when check on the link on the event ID which said
logon
<type is 4. So I am totally confused whether this is logon type 3 or logon
<type 4. On the webpage, type 3 is network, type 4 is batch.
< Logon type Logon title Description
< 2 Interactive A user logged on to this computer at the console.
< 3 Network A user or computer logged on to this computer from the
<network.
< 4 Batch Batch logon type is used by batch servers, where processes
<might run on behalf of a user without the user's direct intervention.
<
<
<Anyone has any idea ? Is this a security concern or not.
<
<Kind regards
<
<
<

.

---

• Follow-Ups:
  • Re: Unusual logon / logoff Security event log
    • From: Smiley

• References:
  • Unusual logon / logoff Security event log
    • From: Smiley

• Prev by Date: Re: VISTA (business) and SBS RDC problems
• Next by Date: Re: Cannot Connect to RWW externally.
• Previous by thread: Unusual logon / logoff Security event log
• Next by thread: Re: Unusual logon / logoff Security event log
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Event ID 529 on cleint workstation ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... logon such as while Outlook is connecting to Exchange Server, ... Quit the client from the domain. ... (microsoft.public.windows.server.sbs) Re: Unusual logon / logoff Security event log ... I researched the MPS Report but didn't find the Security log. ... Click Services tab and select Hide All Microsoft Services and Disable ... This newsgroup only focuses on SBS technical issues. ... and a logon GUID. ... (microsoft.public.windows.server.sbs) Re: Security error, EventID 529 ... logon such as while Outlook is connecting to Exchange Server, ... The attack can be initiated from internal network or external ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) Re: Login Error - Microsoft authentication package v1 ... Microsoft Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... The attack can be initiated from internal network or external ... Logon type 3 means Network logon; ... (microsoft.public.windows.server.sbs) Re: Network Connection ... Thank you for using Microsoft Newsgroup. ... > a "Quick logon", which bypasses the step of connecting to network drives ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)