Multiple Consistent Security Event Logs
- From: Ganeshen <Ganeshen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 May 2006 04:09:02 -0700
Hello all,
I have 1 DC (Global catalog, all 5 fsmo roles), 1 ADC(Global catalog) and 20
XP clients.
I recently joined this organization. and before this, the GPOs were not
configured to capture Audits on the network.
Considering the critical nature of our projects, I configured the GPO policy
to capture Audits (failure n success) for both the Clients n the Servers.
Plus, enabled certain other policies relating to secure Network Communication.
For DCs:
Security Options---
-Microsoft network client: Send unencrypted password to third-party SMB
servers==Disabled
-Network access: Allow anonymous SID/Name translation==Disabled
-Network access: Do not allow anonymous enumeration of SAM accounts and
shares==Enabled
-Domain member: Digitally encrypt secure channel data (when possible)==Enabled
-Network access: Do not allow anonymous enumeration of SAM accounts==Enabled
-Domain member: Digitally encrypt or sign secure channel data
(always)==Enabled
-LAN manager Authentication Level==Send LM & NTLM - use NTLMv2 session
security if negotiated
Audit Policy---
-Audit account logon events==Failure
-Audit account management==Failure
-Audit directory service access==Failure
-Audit logon events==Failure
-Audit object access==Not Configured
-Audit policy change==Failure
-Audit privilege use==Failure
-Audit process tracking==Not Configured
-Audit system events==Failure
Since then, the event logs of the Servers (both the DC n the ADC) as well as
certain clients have been showing Multiple consistent Failure Audits for
Object Access, Logon/Logoff, Account Logon, Privilege Use with 'User' varying
from Network Service, System, Domain Users and Domain Admins.
My concerns grew when I found external IP(s) communicating with my ADC at
regular times. They were in no way related to us. I checked and found that
1-2 of them were from small websites, n others were from block of IPs
allocated by the Internic.
However, since then I have been monitoring changes, movements in the
services closely.
The following are the errors that have been occuring now on the network:
a. Wireless connections (of 2 users) disconnect n re-connect automatically
during the day. It is not periodic or regular though. # this Never happened
before.
b. The Events always show regular failure attempts by different sources n
users.
The following events are most common in the server logs-
#675
Security
Account Logon
NT AUTHORITY\SYSTEM
ADC
Pre-authentication failed:
User Name: kg
User ID: domain\kg
Service Name: krbtgt/domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
***(note: ADC ip is logged as localhost here dont know why?)***
#577
Security
Privilege Use
domain\kg
DC
Privileged Service Called:
Server: Security
Service: -
Primary User Name: kg
Primary Domain: domain
Primary Logon ID: (0x0,0x8EB8B)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeRestorePrivilege
#560
Security
Object Access
NT AUTHORITY\NETWORK SERVICE
DC
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,42740}
Process ID: 544
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: ADC$
Primary Domain: domain
Primary Logon ID: (0x0,0x3E7)
Client User Name: NETWORK SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Accesses: READ_CONTROL
Connect to service controller
Lock service database for exclusive access
Apart from this log, at times, the services.exe starts consuming too much
CPU usage.
#529
Security
Logon/Logoff
NT AUTHORITY\SYSTEM
ADC
Logon Failure:
Reason: Unknown user name or bad password
User Name: kg
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ADC
Caller User Name: ADC$
Caller Domain: domain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 500
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 0
***
Also, even though ADC is a GC, users event log has this error (at times when
DC is not up):
NETLOGON
5719
client-5
No Domain Controller is available for domain ESINDIA due to the following:
There are currently no logon servers available to service the logon request.
..
Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.
---
One more log event that I am concerned about is:
Tcpip
4226
client-5
TCP/IP has reached the security limit imposed on the number of concurrent
TCP connect attempts.
---
These failures are logged in multitudes and they dont follow any regularity.
For eg. LogOn/LogOff / Account Logon events were logged even when the user
logged on to the domain in straight one time.
I have searched on different forums n on Microsoft, but not much help except
than Turning the Audits Off.
Any suggestions are Welcome.
Thanks for your efforts.
Ganeshen
.
- Prev by Date: Re: Permissions on 'My documents'
- Next by Date: Re: Recover encrypted files
- Previous by thread: Re: Permissions on 'My documents'
- Next by thread: Re: Recover encrypted files
- Index(es):
Relevant Pages
|
|
