Re: Unusual logon / logoff Security event log
- From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
- Date: Thu, 06 Dec 2007 09:27:07 GMT
Hi,
Thanks for your reply.
I researched the MPS Report but didn't find the Security log. Since that's
large, you can export that and load it to the workplace:
URL:
Password:
To export the Security event log:
1. Click Start -> Run, type EVENTVWR.MSC and click OK.
2. Right click the Security Event, select Save Log File as, save it to .evt
file.
Of cause I will keep the MPS Report and Security logs secret.
Here are the meaning of events 608 and 538:
608: This event record indicates that a specific right was assigned to the
identified user. Certain rights have security implications. Assigning such
rights to a user who is not trusted can be a security risk.
538: This event record indicates that a user has logged off.
To find more information about the events 540, 538, 608, I need to research
you Security log.
I notice some events occurs 10 times per second, Please take the following
steps on Computer KEBLE:
Step 1: Please make a clean boot on computer KEBLE to make sure the problem
is not caused by some third party software.
1. Click Start->Run...->type msconfig and press Enter.
2. Click Services tab and select Hide All Microsoft Services and Disable
All third party Services.
3. Click Startup tab and Disable All startup items.
4. Click OK and choose Restart.
5. After reboot, check whether the problem still occurs.
6. If there are no more problems, please use the above steps to enable
services and startup items one by one in order to figure out the root cause
of this issue
Step 2: The problem may be caused by virus on Computer KEBLE. Please scan
the system with Anti Virus software which as latest signature.
More info:
Windows Defender Home
http://www.microsoft.com/athome/security/spyware/software/default.mspx
I am looking forward to hear from you.
If you need further assistance, please don't hesitate to let me know.
Best regards,
Robert Li(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<From: "Smiley" <firework123@xxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: Re: Unusual logon / logoff Security event log
<Date: Wed, 5 Dec 2007 15:07:29 -0000
<Lines: 174
<Message-ID: <fj6erk$nj3$1$8302bc10@xxxxxxxxxxxxxxxx>
<References: <fj3b53$cua$1$8300dec7@xxxxxxxxxxxxxxxx>
<pRASMPyNIHA.7908@xxxxxxxxxxxxxxxxxxxxxx>
<NNTP-Posting-Host: blueandmiko1.demon.co.uk
<X-Trace: news.demon.co.uk 1196867253 24163 80.177.109.206 (5 Dec 2007
15:07:33 GMT)
<X-Complaints-To: abuse@xxxxxxxxx
<NNTP-Posting-Date: Wed, 5 Dec 2007 15:07:33 +0000 (UTC)
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
<X-Priority: 3
<X-RFC2646: Format=Flowed; Original
<X-Antivirus: avast! (VPS 071205-1, 05/12/2007), Outbound message
<X-MSMail-Priority: Normal
<X-Antivirus-Status: Clean
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!news.glorb.com!peer1.news.newnet.co.uk!194.159
246.34.MISMATCH!peer-uk.news.demon.net!kibo.news.demon.net!news.demon.co.uk
!demon!not-for-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80195
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi there,
<
<I have emailed you the log.
<
<If the event is randam then there is no concerns however, I have a row for
<540, 538, 608, 538, 608, 608 etc for the same user then another sequence
for
<another users.
<
<Much appreciated of our help and look forward hearing from you.
<
<Kind regards
<
<"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
<news:pRASMPyNIHA.7908@xxxxxxxxxxxxxxxxxxxxxxxxx
<> Hi Smiley,
<>
<> Thanks for posting in our newsgroup.
<>
<> Based on my research, 540, 538, 608 may not indicate you have security
<> risk
<> because they are success events. I tested and found there are lots of
such
<> events in my test machine. The following are the related information
about
<> the events:
<>
<> 540: This message includes the user name and the domain information of
the
<> user account that was logged on, the name of the logon process that
logged
<> the user on, the type of authentication credentials that were presented,
<> and a logon GUID (globally unique identifier).
<>
<> 538: The event appears when user logon or logoff.
<>
<> 608: This event record indicates that a specific right was assigned to
the
<> identified user.
<>
<> More info:
<>
<> Message Details:
<>
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%
<> 20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033
<>
<> To research on the logon type difference, please help me collect the
<> following information and I need to do deep research. Thanks for your
time
<> and patience.
<>
<> MPS Report
<>
<> 1) Download MPS report tool from:
<>
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
<> 15706/MPSRPT_SETUPPerf.EXE
<> 2) Run the MPSRPT_SETUPPerf.exe on the server box.
<> 3) Wait for 10~15 minutes.
<> 4) Open Windows explorer, navigate to
<> %SYSTEMROOT%\MPSReports\Setup\Reports\cab\
<> 5) Send the .cab file to v-robeli@xxxxxxxxxxxxx with subject:
<> 41079378-Unusual logon / logoff Security event log.
<>
<> In addition, please implement Strong password policies in your network to
<> prevent the hackers access your system. To do this:
<>
<> Open Server Management console, navigate to Users snap-in. In the right
<> panel, click ''Configure Password Policies''. Enable the password
<> policies.
<>
<> 1. Password must meet minimum length requirements.
<> 2. Password must meet complexity requirements.
<> 3. Password must be changed regularly.
<> 4. Configure password policies: Immediately.
<>
<> More info:
<>
<> Securing Your Windows Small Business Server 2003 Network
<>
http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
<> 8501-b4f680280f71&displaylang=en
<>
<>
<> I am looking forward to hear from you.
<>
<> If you need further assistance, please don't hesitate to let me know.
<>
<> Best regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft CSS Online Newsgroup Support
<>
<> Get Secure! - www.microsoft.com/security
<>
<> =====================================================
<>
<> This newsgroup only focuses on SBS technical issues. If you have issues
<> regarding other Microsoft products, you'd better post in the
corresponding
<> newsgroups so that they can be resolved in an efficient and timely
manner.
<> You can locate the newsgroup here:
<> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>
<> When opening a new thread via the web interface, we recommend you check
<> the
<> "Notify me of replies" box to receive e-mail notifications when there are
<> any updates in your thread. When responding to posts via your newsreader,
<> please "Reply to Group" so that others may learn and benefit from your
<> issue.
<>
<> Microsoft engineers can only focus on one issue per thread. Although we
<> provide other information for your reference, we recommend you post
<> different incidents in different threads to keep the thread clean. In
<> doing
<> so, it will ensure your issues are resolved in a timely manner.
<>
<> For urgent issues, you may want to contact Microsoft CSS directly. Please
<> check http://support.microsoft.com for regional support phone numbers.
<>
<> Any input or comments in this thread are highly appreciated.
<>
<> =====================================================
<>
<> This posting is provided "AS IS" with no warranties, and confers no
<> rights.
<>
<> --------------------
<> <From: "Smiley" <firework123@xxxxxxxxxxxxxx>
<> <Newsgroups: microsoft.public.windows.server.sbs
<> <Subject: Unusual logon / logoff Security event log
<> <Date: Tue, 4 Dec 2007 10:45:54 -0000
<> <Lines: 22
<> <Message-ID: <fj3b53$cua$1$8300dec7@xxxxxxxxxxxxxxxx>
<> <NNTP-Posting-Host: blueandmiko1.demon.co.uk
<> <X-Trace: news.demon.co.uk 1196765155 13258 80.177.109.206 (4 Dec 2007
<> 10:45:55 GMT)
<> <X-Complaints-To: abuse@xxxxxxxxx
<> <NNTP-Posting-Date: Tue, 4 Dec 2007 10:45:55 +0000 (UTC)
<> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
<> <X-Priority: 3
<> <X-RFC2646: Format=Flowed; Original
<> <X-Antivirus: avast! (VPS 071203-0, 03/12/2007), Outbound message
<> <X-MSMail-Priority: Normal
<> <X-Antivirus-Status: Clean
<> <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
<> <Bytes: 1853
<> <Path:
<>
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
<>
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
<>
m!news.glorb.com!peer1.news.newnet.co.uk!194.159.246.34.MISMATCH!peer-uk.new
<>
s.demon.net!kibo.news.demon.net!mutlu.news.demon.net!news.demon.co.uk!demon!
<> not-for-mail
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:79902
<> <X-Tomcat-NG: microsoft.public.windows.server.sbs
<> <
<> <Hi there,
<> <
<> <Has this repeat entries of event ID 540, 538, 608 in a row for
particular
<> <user.
<> <
<> <Another preculiar is for example event ID 540, On the event id, the
logon
<> <type said 3, however when check on the link on the event ID which said
<> logon
<> <type is 4. So I am totally confused whether this is logon type 3 or
logon
<> <type 4. On the webpage, type 3 is network, type 4 is batch.
<> < Logon type Logon title Description
<> < 2 Interactive A user logged on to this computer at the console.
<> < 3 Network A user or computer logged on to this computer from the
<> <network.
<> < 4 Batch Batch logon type is used by batch servers, where processes
<> <might run on behalf of a user without the user's direct intervention.
<> <
<> <
<> <Anyone has any idea ? Is this a security concern or not.
<> <
<> <Kind regards
<> <
<> <
<> <
<>
<
<
<
.
- Follow-Ups:
- Re: Unusual logon / logoff Security event log
- From: Smiley
- Re: Unusual logon / logoff Security event log
- References:
- Unusual logon / logoff Security event log
- From: Smiley
- RE: Unusual logon / logoff Security event log
- From: Robert Li [MSFT]
- Re: Unusual logon / logoff Security event log
- From: Smiley
- Unusual logon / logoff Security event log
- Prev by Date: Re: How do I upgrade an existing 2003 domain to SBS 2003 R2 ?
- Next by Date: Outlook stuck with "Creating a Welcome message"
- Previous by thread: Re: Unusual logon / logoff Security event log
- Next by thread: Re: Unusual logon / logoff Security event log
- Index(es):
Relevant Pages
|
