Security event log filling..

[Sue]

I have 2 new AD servers running Windows Server 2003 that are completely
fresh installs on new identical hardware and all seems to be working well
but for onw thing:

My event logs are filling with security messages for privaledge changes and
logoffs/logons (EventIDs: 540, 576, 538). I get these continuously at the
rate of several per second and my drive lights show fairly regular
activity. The systems are new vanilla installs with no user activity and no
appls loaded. The CPUs how between 2 and 5% continuous activity.

I can probably figure out how to turn off these audits but is this constant
logon/logoff activity normal?
Scott

 

[Simon Geary]

I suppose that would depend on how many users you have? Are the events
interactive logon\logoff? If so you could take a note of the user name and
go ask what they're up to. Or is it a service logon\logoff in which case
check the passwords on your service accounts.
If the logon attempts are all failed maybe you are being hit with some sort
of bruteforce attack, any account lockouts to suggest this?

 

[stevta [MSFT]]

Hi Sue,

Open AD user and computers. Do a properties on the Domain
controllers OU. Go to the group policy tab and edit the
default domain controllers policy. Under computer
configuration/windows settings/security setting/local
policy/audit policy.

You can track logon success and failure and some others.
You might not want to track privilege use activity.
After you change policy it will be up-to-date in 5 minutes.
Steve

 

[Paul Gibson]

My event logs are filling with security messages for privaledge changes
and

logoffs/logons (EventIDs: 540, 576, 538).

I've got the same problem. Fresh install of Windows 2003 server as the DC
and I'm getting a large number of the same events. I'm the only one who's
using the server, although one other person does have the Administrator
password. There is one WinXP computer and one 2003 member server, and that's
it. No other computers on this network segment and I'm the only one who's
got a user account (except for the built-in Administrator account).

In "Default Domain Controllers Policy", "Audit Privilege Use" is set to
Failure, but I have a huge number of 576 successes. Why is it logging
Success Audit when the policy says only log failures? I verified "Default
Domain Controllers Policy" is linked to the OU "Domain Controllers", which
is where the server is. GPMC's "Group Policy Modeling" shows "Audit
Privilege Use" is set to Failure. I ran GPUPDATE to make sure the server
knows about the setting, but that didn't help. The 540's and 538's I think
I'll have to live with because of company policy--we're required to use
"Audit Logon Events" Success and Failure. If possible, I would like to turn
off audit success when the "User Name" is SERVER$ (or any other computer
name). There are some typical entries:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 9/10/2003
Time: 2:10:24 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
User Logoff:
User Name: SERVER$
Domain: COMPANY
Logon ID: (0x0,0x5F9D0B8)
Logon Type: 3


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 9/10/2003
Time: 2:10:24 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Successful Network Logon:
User Name: SERVER$
Domain: COMPANY
Logon ID: (0x0,0x5F9D10D)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {b5bf97ae-7109-a93b-d63a-e31786510d6f}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.1.1.1
Source Port: 0


Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 9/10/2003
Time: 2:10:24 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Special privileges assigned to new logon:
User Name: SERVER$
Domain: COMPANY
Logon ID: (0x0,0x5F9D10D)
Privileges: SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege


If someone can tell me how to get rid of the 576 success audits, I'd
appreciate it. Thanks!

Paul Gibson
(e-mail address removed)

 

[Paul Gibson]

Does anyone know the registry key where the audit settings are stored? I
have "Audit privilege use" set to Failure in the Group Policy, but I'm
receiving many 576 Audit Success events. I'd like to manually check the
registry key to make sure the GP was applied properly.

Paul Gibson
(e-mail address removed)