Re: Unusual logon / logoff Security event log

---

• From: "Smiley" <firework123@xxxxxxxxxxxxxx>
• Date: Wed, 5 Dec 2007 15:07:29 -0000

---

Hi there,

I have emailed you the log.

If the event is randam then there is no concerns however, I have a row for
540, 538, 608, 538, 608, 608 etc for the same user then another sequence for
another users.

Much appreciated of our help and look forward hearing from you.

Kind regards

"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:pRASMPyNIHA.7908@xxxxxxxxxxxxxxxxxxxxxxxxx

Hi Smiley,

Thanks for posting in our newsgroup.

Based on my research, 540, 538, 608 may not indicate you have security
risk
because they are success events. I tested and found there are lots of such
events in my test machine. The following are the related information about
the events:

540: This message includes the user name and the domain information of the
user account that was logged on, the name of the logon process that logged
the user on, the type of authentication credentials that were presented,
and a logon GUID (globally unique identifier).

538: The event appears when user logon or logoff.

608: This event record indicates that a specific right was assigned to the
identified user.

More info:

Message Details:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%
20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033

To research on the logon type difference, please help me collect the
following information and I need to do deep research. Thanks for your time
and patience.

MPS Report

1) Download MPS report tool from:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_SETUPPerf.EXE
2) Run the MPSRPT_SETUPPerf.exe on the server box.
3) Wait for 10~15 minutes.
4) Open Windows explorer, navigate to
%SYSTEMROOT%\MPSReports\Setup\Reports\cab\
5) Send the .cab file to v-robeli@xxxxxxxxxxxxx with subject:
41079378-Unusual logon / logoff Security event log.

In addition, please implement Strong password policies in your network to
prevent the hackers access your system. To do this:

Open Server Management console, navigate to Users snap-in. In the right
panel, click ''Configure Password Policies''. Enable the password
policies.

1. Password must meet minimum length requirements.
2. Password must meet complexity requirements.
3. Password must be changed regularly.
4. Configure password policies: Immediately.

More info:

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
8501-b4f680280f71&displaylang=en


I am looking forward to hear from you.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
<From: "Smiley" <firework123@xxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: Unusual logon / logoff Security event log
<Date: Tue, 4 Dec 2007 10:45:54 -0000
<Lines: 22
<Message-ID: <fj3b53$cua$1$8300dec7@xxxxxxxxxxxxxxxx>
<NNTP-Posting-Host: blueandmiko1.demon.co.uk
<X-Trace: news.demon.co.uk 1196765155 13258 80.177.109.206 (4 Dec 2007
10:45:55 GMT)
<X-Complaints-To: abuse@xxxxxxxxx
<NNTP-Posting-Date: Tue, 4 Dec 2007 10:45:55 +0000 (UTC)
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
<X-Priority: 3
<X-RFC2646: Format=Flowed; Original
<X-Antivirus: avast! (VPS 071203-0, 03/12/2007), Outbound message
<X-MSMail-Priority: Normal
<X-Antivirus-Status: Clean
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
<Bytes: 1853
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
m!news.glorb.com!peer1.news.newnet.co.uk!194.159.246.34.MISMATCH!peer-uk.new
s.demon.net!kibo.news.demon.net!mutlu.news.demon.net!news.demon.co.uk!demon!
not-for-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:79902
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi there,
<
<Has this repeat entries of event ID 540, 538, 608 in a row for particular
<user.
<
<Another preculiar is for example event ID 540, On the event id, the logon
<type said 3, however when check on the link on the event ID which said
logon
<type is 4. So I am totally confused whether this is logon type 3 or logon
<type 4. On the webpage, type 3 is network, type 4 is batch.
< Logon type Logon title Description
< 2 Interactive A user logged on to this computer at the console.
< 3 Network A user or computer logged on to this computer from the
<network.
< 4 Batch Batch logon type is used by batch servers, where processes
<might run on behalf of a user without the user's direct intervention.
<
<
<Anyone has any idea ? Is this a security concern or not.
<
<Kind regards
<
<
<

.

---

• Follow-Ups:
  • Re: Unusual logon / logoff Security event log
    • From: Robert Li [MSFT]

• References:
  • Unusual logon / logoff Security event log
    • From: Smiley
  • RE: Unusual logon / logoff Security event log
    • From: Robert Li [MSFT]

• Prev by Date: Re: SBS Wizards not Working
• Next by Date: Re: WSS 3.0 database too large for amount of actual data?
• Previous by thread: RE: Unusual logon / logoff Security event log
• Next by thread: Re: Unusual logon / logoff Security event log
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Overnight Logons ... Logon Type 3 is a logon from a different machine in the local network. ... Event Type: Success Audit ... Event Source: Security ... (microsoft.public.windows.server.sbs) Re: Overnight Logons ... Is Dwayne leaving his desktop PC running overnight? ... Logon Type 3 is a logon from a different machine in the local network. ... Event Source: Security ... (microsoft.public.windows.server.sbs) Unknown Domain user - domain authentication appears limited ... IIS or Domain problem, it appears that it is actually a security ... When I tried this on the new server configuration I received the following ... due to the following error: Logon failure: the user has not been granted the ... requested logon type at this computer. ... (microsoft.public.windows.server.security) Re: Overnight Logons ... Is Dwayne leaving his desktop PC running overnight? ... Logon Type 3 is a logon ... Event Source: Security ... (microsoft.public.windows.server.sbs) Re: Problem ... Is the account logged into more than one machine or is it running a service ... What is the possible reason? ... Logon Type: 2 ... Logon Process: User32 ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2007-12