FTP login to Win2k sp4 with IIS not all audited

• Previous message: Roger Abell: "Re: Disable program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 26 Nov 2004 00:54:47 -0800

The configuration is as following:
- Windows 2000 SP4 running as DC with IIS FTP installed
- One account "ftpuser" created for accessing the FTP server
- "Domain Security Policy", "Audit account logon events" and "Audit
logon events" are both turned on for success and failure
- Normally, we have about 10 workstations(NT4 WS) access the server in
the morning from 8:15AM to 8:30AM to get updated files.

The problem is :
- I am expecting I can get TEN pairs of "528 + 538" events with the
user field set to "ftpuser", but I only get at most TWO pairs of "528
+ 538" events.

Successful Logon:
         User Name: ftpuser
         Domain: DOMAIN1
         Logon ID: (0x0,0x65A244)
         Logon Type: 2
         Logon Process: IIS
         Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
         Workstation Name: SERVER1

User Logoff:
         User Name: ftpuser
         Domain: DOMAIN1
         Logon ID: (0x0,0x65A244)
         Logon Type: 2

In between, I got a lot of 540, 583 events who's user is "SYSTEM":
Successful Network Logon:
         User Name: SERVER1$
         Domain: DOMAIN1
         Logon ID: (0x0,0x65EA72)
         Logon Type: 3
         Logon Process: Kerberos
         Authentication Package: Kerberos
         Workstation Name:

User Logoff:
         User Name: SERVER1$
         Domain: DOMAIN1
         Logon ID: (0x0,0x65EBB9)
         Logon Type: 3

Anyone know what's the problem?

• Previous message: Roger Abell: "Re: Disable program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: find on which computer is connected a user ... You may try to enable the policy "Audit Logon Events" and then audit the ... Write events to the event log of a specified server concerning the status ... (microsoft.public.windows.server.general) Re: EventID 529 Logged 1723 Times in one Day! ... I see this on my machines that run an FTP server. ... Logon Process: IIS ... (microsoft.public.windows.server.sbs) Re: People trying to hack my MS FTP server (but theyre not getting in) ... > same IP address to logon to my MS FTP server with accounts which do not ... > to prevent further attacks from them. ... (microsoft.public.inetserver.iis.ftp) RE: how can I see when the last time it was when a computer loged on ... You can try to enable the policy "Audit logon events" and then we can audit ... Events->Select Success and Failure. ... (microsoft.public.windows.server.sbs) Re: Strange Win2K Logon Problem ... Enable auditing of logon events on that computer and account logon events in Domain ... Controller Security Policy and view the security logs to see if ... You will have to view the security log on ... (microsoft.public.win2000.security)