Network Services/NT Authority

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

:-I see entries in my Security Event Viewer indicating that
User: Network Services
Domain: NT Authority
is accessing my system in the wee hours of the morning with Special
Privledges assigned and then immediately followed by changes in my Firewall
Group policy. I do not have a network, unless it is referring to my cable
internet connection. What is Network Services and What is NT Authority?
Should I be concerned about this?
 
Are you finding that your firewall settings are being changed?? If you can
post the Event ID that refers to Windows Firewall Group Policy here in a
reply. --- Steve
 
Steve: Thanks for your response: I don't really know how to tell if my
firewall settings have been changed or not, I'm not that technical in that
area. There were 2 events that occured one right after the other:
1st was event ID # 528, successful logon by the Network Service, Domain:- NT
Authority: then #576 which assigned special privledges to the new log on.
Then about an hour later there were two events ID # 858 to apply Windows
Firewall Group Settings.
 
Steven: I think I just really messed things up. I tried to look at the
firewall group policy settings to see if I could make any sense of it, and I
clicked on the "Reset Defaults" without meaning too. I thought I should go
back to my last restore point, which was yesterday, to undo it, but when I
try to go back to the restore point it tells me that another user is logged
on, but I am the only user that is logged on. Then, when I checked the event
viewer it shows unsuccessful logon attempts for all users, including the one
I am now logged on under. Event ID's # 680 & 529 for each user.
 
Well the two events may be in order in the security log but timewise they do
not relate as an hour is a long time between events. It is not unusual to
see the logon events for Network Services and the Group Policy event
probably is just informational and nothing to worry about. --- Steve
 
Where exactly did you click on "Reset Defaults" ?? You need to use
gpedit.msc to access and edit local Group Policy in XP Pro. Maybe you were
just looking at the firewall settings and not Group Policy firewall
settings? The main thing is that your firewall is still enabled.

Reset defaults is not necessarily a bad thing as long as things work as you
want but you should be able to tweak from there. You can use the command
netsh firewall show state to see info about the firewall including if it is
enabled. I am not sure what is going on with the other user is logged on
message. Were you possibly using fast user switching? Are the failed logon
attempts type 2 or type 3 ?? Type three could indicate hack attempts to user
accounts on your computer via the network which can occur if you are
connected to the internet with no firewall protection. Type 2 logons are
for local keyboard interactive logon. If you are using cable/DSL I suggest
that you also use cheap and affordable internet router to protect your
network. You can go to a self scan site such as http://scan.sygatetech.com/
to check for basic firewall vulnerabilities. Below is an example of a
successful type 3 network logon to computer Steve-XP from computer
server1-2003. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 5/12/2006
Time: 12:07:12 AM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Successful Network Logon:
User Name: Steve
Domain: STEVE-XP
Logon ID: (0x0,0x54D0C7)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1-2003
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
Well, that creates another question in my mind:
1. Do you mean that we cannot rely on the time shown on the event log? The
two events that occured together show the same exact time, but the time shown
for the next event indicates an hour had passed.
2. I'm still confused about this "Network Services - NT Authority thing
since I don't have a "network". What Network would it refer to??
 
On Control Panel/Security Center/Windows Firewall, there are 3 tabs. On the
advanced tab, there are options for settings for Network Connections,
Security Logging, ICMP and then the option to reset all the firewall settings
to default. I really don't know that much about "Group Policy" and don't
feel comfortable going in to edit those type files and I have XP Home, not
Pro, so I don't even know if I have that ability. I did get to "restore" to
a point before I did that, so I'm back to where I was, but still don't
understand why it was showing another user logged on.

Where can I go to look up more info on some of these issues, like "Group
Policies" etc.? Microsoft's Knowledge base info is not very specific and
assumes you already have a good basic knowledge of these terms. I feel like
such a dummy asking all these questions and I would like to be able to look
up as much as possible before I post a "duh" question.
 
The first two events both related to the network service logon and are
normal. I was referring to the one an hour later that did not indicate it
had anything to do with network service. You actually do have a network if
you have a network adapter of any kind installed in your computer and
network service a normal special low privileged identity on your operating
system compared to system. If you use services.msc to view your services you
will see that some services such as DNS client and Remote Procedure Call use
the network service identity. --- Steve
 
OK that is what I though in that you did not change any Group Policy
settings but instead were managing the Windows Firewall settings and no you
can not manage Group Policy on an XP Home computer. I explained in a
previous post why you are seeing network service in your security log as a
logon which is normal as your computer really is on a network - the
internet. Your best bet to find information is to probably just do a Google
search and briefly read the articles that it finds to see one that is
comfortable for your knowledge level. You might also want to go to a book
store or library and browse through some books on Windows XP to find one
that you like. It is hard to recommend one because like you said that some
assume you know a lot and other assume you know next to nothing. The Lab
Mice link below is also a great resource that I used a lot when I started
out learning more about Windows operating systems. By the way your question
was in no way a "duh" question. --- Steve

http://labmice.techtarget.com/windowsxp/default.htm
 
Back
Top