Re: Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?
From: Tim Springston [MSFT] (tspring_at_online.microsoft.com)
Date: 07/26/04
- Previous message: Franz Schenk: "Re: Logon with disabled admin account possible!"
- In reply to: Edgar E. Cayce: "Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jul 2004 16:47:29 -0500
Hi Edgar-
It seems normal enough to me if your users are accessing files on shares on
that server. It might make even more sense if you are using shadow copy of
those files.
I wouldn't say you are using too much auditing-it's a good idea to take an
interest in what is happening on your server.
__
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Edgar E. Cayce" <myfullnamenopunctuation@yahoo.com> wrote in message
news:l450g0d4d5hc43n39cra1lsuuqohrit57m@4ax.com...
> I have a Windows 2003 server acting as domian controller on a small (7
> PC) office network.
>
> Things seem to be working OK, but in my Event Viewer Security log, I
> find constant Success Audits where the machines in my network are
> doing Logon/Logoff and Privilege Use. These are happening many times
> per minute and I am concerned that something may be amiss.
>
> It usually seems to be Logon/Logoff EventID 540, the Privilege use
> #576, then Logon/Logoff #538, like so:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 7/3/2004
> Time: 1:39:54 PM
> User: NT AUTHORITY\SYSTEM
> Computer: MEDTEKSERVER
> Description:
> Successful Network Logon:
> User Name: MEDTEKSERVER$
> Domain: MEDTEK
> Logon ID: (0x0,0x19D51B45)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {09dc05ac-b256-11bc-da59-4245b06f1711}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.1.200
> Source Port: 3957
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Privilege Use
> Event ID: 576
> Date: 7/3/2004
> Time: 1:39:54 PM
> User: NT AUTHORITY\SYSTEM
> Computer: MEDTEKSERVER
> Description:
> Special privileges assigned to new logon:
> User Name: MEDTEKSERVER$
> Domain: MEDTEK
> Logon ID: (0x0,0x19D51B45)
> Privileges: SeBackupPrivilege
> SeRestorePrivilege
> SeDebugPrivilege
> SeChangeNotifyPrivilege
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 7/3/2004
> Time: 1:39:54 PM
> User: NT AUTHORITY\SYSTEM
> Computer: MEDTEKSERVER
> Description:
> User Logoff:
> User Name: MEDTEKSERVER$
> Domain: MEDTEK
> Logon ID: (0x0,0x19D51AF8)
> Logon Type: 3
>
>
> Is this stuff normal? Is my auditing set too high? Any help would be
> muchly appreciated.
>
> Ed
- Previous message: Franz Schenk: "Re: Logon with disabled admin account possible!"
- In reply to: Edgar E. Cayce: "Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
