E
Edgar E. Cayce
I have a Windows 2003 server acting as domian controller on a small (7
PC) office network.
Things seem to be working OK, but in my Event Viewer Security log, I
find constant Success Audits where the machines in my network are
doing Logon/Logoff and Privilege Use. These are happening many times
per minute and I am concerned that something may be amiss.
It usually seems to be Logon/Logoff EventID 540, the Privilege use
#576, then Logon/Logoff #538, like so:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Successful Network Logon:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51B45)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {09dc05ac-b256-11bc-da59-4245b06f1711}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.200
Source Port: 3957
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Special privileges assigned to new logon:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51B45)
Privileges: SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
User Logoff:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51AF8)
Logon Type: 3
Is this stuff normal? Is my auditing set too high? Any help would be
muchly appreciated.
Ed
PC) office network.
Things seem to be working OK, but in my Event Viewer Security log, I
find constant Success Audits where the machines in my network are
doing Logon/Logoff and Privilege Use. These are happening many times
per minute and I am concerned that something may be amiss.
It usually seems to be Logon/Logoff EventID 540, the Privilege use
#576, then Logon/Logoff #538, like so:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Successful Network Logon:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51B45)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {09dc05ac-b256-11bc-da59-4245b06f1711}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.200
Source Port: 3957
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Special privileges assigned to new logon:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51B45)
Privileges: SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
User Logoff:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51AF8)
Logon Type: 3
Is this stuff normal? Is my auditing set too high? Any help would be
muchly appreciated.
Ed