Re: Security Audit Log
From: Eric Fitzgerald [MSFT] (ericf_at_online.microsoft.com)
Date: 06/10/03
- Next message: Kent W. England [MVP]: "Re: time synch"
- Previous message: Dan Kubik: "Pop-up Advertising"
- In reply to: Tom Rydberg: "Security Audit Log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 9 Jun 2003 18:19:02 -0700
This is normal behavior, typically the computer browser.
Logon Type 3 is network.
NTLMSSP = NTLM authentication (downlevel machine is probably involved)
Auth Package NTLM is kind of redundant, it's the only auth package that the
NTLM SSP supports.
Eric
"Tom Rydberg" <tom.rydberg@bigpond.com> wrote in message
news:006901c32d6f$fa790200$a001280a@phx.gbl...
> Hi All,
>
> Just have a quick query. I reguarly take the time to look
> over the Event Viewer, mainly the security log. And I
> notice there is a lot of logins by ANONYMOUS LOGON, and
> here is an example of that login:
>
> Successful Network Logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x13809)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name:
> Logon GUID: {00000000-0000-0000-0000-
> 000000000000}
>
> And here is also the login by myself:
>
> Successful Logon:
> User Name: Thomas
> Domain: DOWNSTAIRS
> Logon ID: (0x0,0xC7FC)
> Logon Type: 2
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: DOWNSTAIRS
> Logon GUID: {00000000-0000-0000-0000-
> 000000000000}
> The two things i notice most about the ANON login is that
> the Logon Process and Authentication Packages are diff
> from what they are for my logon. I understand that Logon
> Type: 3 is a network logon. What does this all mean?? Is
> my box being hacked??
>
> I will just also add that my pc is networked with another
> in the house, just peer to peer, and my pc is
> the 'client' as such. The pc directly conn to the
> Internet is firewalled and has anti virus, but at the
> time of writing have not yet looked at the Event Viewer
> audit log for the other pc.
>
> And i also notice in the log that just before you see
> where i have logged on osmething is initiated by the
> SYSTEM that loads the following:
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: Thomas
> Source Workstation: DOWNSTAIRS
> Error Code: 0x0
>
> Is there anything that I should really be looking at help
> protect my box? I have anti virus, tauscan, and don't
> leave my machine running when I'm not using it!! Help!
> Any information that anyone could give would be greatly
> appreciated. Thanks in advance :)
>
> Tom Rydberg
>
- Next message: Kent W. England [MVP]: "Re: time synch"
- Previous message: Dan Kubik: "Pop-up Advertising"
- In reply to: Tom Rydberg: "Security Audit Log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
