RE: Windows2000 Security events

From: Wozny, Scott (US - New York) (swozny_at_deloitte.com)
Date: 09/14/04

  • Next message: Smartn - Aureo Monteiro Tavares da Silva: "RES: How to Recovering files encrypted with Microsoft EFS without the key?" 
    Date: Tue, 14 Sep 2004 14:22:44 -0400
To: "Dave Gonsalves" <davegon@comcast.net>, <focus-ms@securityfocus.com>

    2 possibilities spring immediately to mind.

    1) Someone is testing / using Kerberos on your network without your
    being aware of it. (Likely)

    2) Someone has gone through the effort of writing / acquiring exploit
    code for the recently announced vulnerabilities in Kerberos and is
    testing it on your network. (Not likely)

    576s happen on a fairly regular basis depending on what rights your
    users are granted. MSDN provides a detailed explanation. With the
    information provided it looks like a perfectly normal use of Kerberos to
    me. Ask around your IT group.

    My 2 cents,

    Scott

    -----Original Message-----
    From: Dave Gonsalves [mailto:davegon@comcast.net]
    Sent: Saturday, September 11, 2004 1:51 PM
    To: focus-ms@securityfocus.com
    Subject: Windows2000 Security events

    Hi All,

    Has anyone seen this type of Windows Security Event Log activity before?

    This was found on multiple computers.... All within a 2 minute time
    frame...same username and domain.

    EVENT ID: 576

    Special privileges assigned to new logon:

    User Name: username

    Domain:

    Logon ID: (0x0,0x5F893A8)

    Assigned: SeChangeNotifyPrivilege

    EVENT ID: 540

    Successful Network Logon:

    User Name: username

    Domain: DOMAIN

    Logon ID: (0x0,0x5F893A8)

    Logon Type: 3

    Logon Process: Kerberos

    Authentication Package: Kerberos

    Workstation Name:

    EVENT ID: 538

    User Logoff:

    User Name: username

    Domain: DOMAIN

    Logon ID: (0x0,0x5F893A8)

    Logon Type: 3

    One of the computers provided a source IP address so I have checked the
    computer of the user in question for root kits, trojans, ect. It is
    fully
    patched and has AV up to date

    thanks,

    Dave

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
 
*Disclaimer:*
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Smartn - Aureo Monteiro Tavares da Silva: "RES: How to Recovering files encrypted with Microsoft EFS without the key?"

    Relevant Pages

    • Re: Password access for folders over network
      ... the network logon always uses the currently logged on user ... but you *can* get it to prompt for the password. ... username, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Cannot logon to XP after changing network settings
      ... it no longer lets me logon. ... Make sure your username and domain are correct" ... the network settings from a business network to a home network. ... What happen if you logged into safe Mode and create a local account. ...
      (microsoft.public.windowsxp.help_and_support)
    • cached credentials and shared resources access
      ... goes away he can logon and work in domain with cached credentials. ... for a logon and, entering user and pwd of the cached logon, it answers ... Username already used. ... It's a very fast reply, without querying network, so I think it's ...
      (microsoft.public.windowsxp.network_web)
    • Re: How can I get the domain name and username?
      ... There is a way to get the network logon name using vb6. ... Alias "WNetGetUserA" (ByVal lpszLocalName As String, ... >> I ask how can I get the domain name and username of user ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Windows2000 Security event logs
      ... > Has anyone seen this type of Windows Security Event Log activity before? ... > frame...same username and domain. ... > Special privileges assigned to new logon: ... > Authentication Package: Kerberos ...
      (Security-Basics)