Frequent logon success audits in event viewer

Hello, and thanks for your help in advance! -Jim

I believe I have excessive records in my security event log. It
accumulates about 5000 records an hour. Most are system logon/logoff
events. I understand I can turn off auditing of successful logon
events, and I understand how to do that. But I want to know that this
behaviour is not indicating a security problem or some other
configuration problem.

Here is an example extracted from the log. 192.168.1.35 is the IP
address of my server. There were numerous other logon/logoff events
recorded in the 3-minute time span, I have just captured the three
events related by the same logon ID:

5/8/2007,8:59:34 AM,Security,Success Audit,Logon/Logoff ,538,NT
AUTHORITY\SYSTEM,ACASERVER,"User Logoff:
User Name: ACASERVER$
Domain: ACA
Logon ID: (0x0,0xB5FAD6)
Logon Type: 3

5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,540,NT
AUTHORITY\SYSTEM,ACASERVER,"Successful Network Logon:
User Name: ACASERVER$
Domain: ACA
Logon ID: (0x0,0xB5FAD6)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {2ea2d473-c204-da54-11b7-da31e4d45350}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.35
Source Port: 17265
"
5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,576,NT
AUTHORITY\SYSTEM,ACASERVER,"Special privileges assigned to new logon:
User Name: ACASERVER$
Domain: ACA
Logon ID: (0x0,0xB5FAD6)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege"

Hello Jim,

Thank you for posting here.

According to your description, I understand that there are many security
event logs of 540, 538 about success audits on your SBS. If I have
misunderstood the problem, please don't hesitate to let me know.

In SBS 2003, the full security audit is enabled by default so that you are
able to monitor the server and network access events if needed. It's normal
that many logon/logoff events are logged because one logon/logoff procedure
can generate several events. The logon/logoff procedures are always
performed by service startup/shutdown, shared file accessing, network
accessing, users' logon/logoff etc. Event 540 indicates a successful logon;
event 538 indicates a successful logoff and event 576 indicates a
successful special privilege assign. That do not mean some security
problems or some other configuration problems. You may safely ignore these
events.

If you do want to stop these events, you can turn off Success logon
auditing, although it is not recommended. To do so:

1. Open Server Management console

2. Extend Advanced Management->Group Policy Management->Forest:
domain.local->Domains->domain.local->Domain Controllers

3. Right click Small Business Server Auditing Policy, select edit

4. Extend Computer Configuration->Windows Settings->Security
Settings->Local Policies->Audit Policy

5. Double click Audit logon events, please ensure do not tick Success,
click OK

6. Run gpupdate on SBS

More information for your reference:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/d...722-267c-4642-
b287-c31115ef10a4&displaylang=en

Account Passwords and Policies
http://www.microsoft.com/technet/pro.../technologies/
security/bpactlck.mspx

Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/d...F93-147A-4481-
9346-F93A4081EEA8&displaylang=en

I hope the above information helps. If you have any questions or concerns,
please do not hesitate to let me know.

Have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: jim@4jl.net
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Frequent logon success audits in event viewer
| Date: 8 May 2007 07:25:05 -0700
| Organization: http://groups.google.com
| Lines: 54
| Message-ID: <1178634304.932937.215480@y5g2000hsa.googlegroups.com>
| NNTP-Posting-Host: 162.40.99.81
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1178634312 30535 127.0.0.1 (8 May 2007
14:25:12 GMT)
| X-Complaints-To: groups-abuse@google.com
| NNTP-Posting-Date: Tue, 8 May 2007 14:25:12 +0000 (UTC)
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322; Alexa Toolbar),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@google.com
| Injection-Info: y5g2000hsa.googlegroups.com; posting-host=162.40.99.81;
| posting-account=SptmAw0AAADyhAf5ds6N27aMLeSBOs9C
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!border1.nn
tp.dca.giganews.com!nntp.giganews.com!postnews.google.com!y5g2000hsa.googleg
roups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:35369
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hello, and thanks for your help in advance! -Jim
|
| I believe I have excessive records in my security event log. It
| accumulates about 5000 records an hour. Most are system logon/logoff
| events. I understand I can turn off auditing of successful logon
| events, and I understand how to do that. But I want to know that this
| behaviour is not indicating a security problem or some other
| configuration problem.
|
| Here is an example extracted from the log. 192.168.1.35 is the IP
| address of my server. There were numerous other logon/logoff events
| recorded in the 3-minute time span, I have just captured the three
| events related by the same logon ID:
|
| 5/8/2007,8:59:34 AM,Security,Success Audit,Logon/Logoff ,538,NT
| AUTHORITY\SYSTEM,ACASERVER,"User Logoff:
| User Name: ACASERVER$
| Domain: ACA
| Logon ID: (0x0,0xB5FAD6)
| Logon Type: 3
|
| 5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,540,NT
| AUTHORITY\SYSTEM,ACASERVER,"Successful Network Logon:
| User Name: ACASERVER$
| Domain: ACA
| Logon ID: (0x0,0xB5FAD6)
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name:
| Logon GUID: {2ea2d473-c204-da54-11b7-da31e4d45350}
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 192.168.1.35
| Source Port: 17265
| "
| 5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,576,NT
| AUTHORITY\SYSTEM,ACASERVER,"Special privileges assigned to new logon:
| User Name: ACASERVER$
| Domain: ACA
| Logon ID: (0x0,0xB5FAD6)
| Privileges: SeSecurityPrivilege
| SeBackupPrivilege
| SeRestorePrivilege
| SeTakeOwnershipPrivilege
| SeDebugPrivilege
| SeSystemEnvironmentPrivilege
| SeLoadDriverPrivilege
| SeImpersonatePrivilege
| SeEnableDelegationPrivilege"
|
|

Thank you, Terence!

--Jim

On May 9, 1:03 am, v-ter...@online.microsoft.com (Terence Liu [MSFT])
wrote:
> Hello Jim,
>
> Thank you for posting here.
>
> According to your description, I understand that there are many security
> event logs of 540, 538 aboutsuccessaudits on your SBS. If I have
> misunderstood the problem, please don't hesitate to let me know.
>
> In SBS 2003, the full securityauditis enabled by default so that you are
> able to monitor the server and network access events if needed. It's normal
> that manylogon/logoff events are logged because onelogon/logoff procedure
> can generate several events. Thelogon/logoff procedures are always
> performed by service startup/shutdown, shared file accessing, network
> accessing, users'logon/logoff etc. Event 540 indicates a successfullogon;
> event 538 indicates a successful logoff and event 576 indicates a
> successful special privilege assign. That do not mean some security
> problems or some other configuration problems. You may safely ignore these
> events.

Hello Jim,

Thank you for kind update. I appreciate your time on this post.

I'm glad to hear that the info I provided is help for you. Please do not
hesitate to post in this great newsgroup if you need any assistance in the
future. I look forward to working with you again.

Thank you and have a nice day,

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: jim@4jl.net
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Frequent logon success audits in event viewer
| Date: 9 May 2007 09:06:54 -0700
| Organization: http://groups.google.com
| Lines: 25
| Message-ID: <1178726814.899125.210420@o5g2000hsb.googlegroups.com>
| References: <1178634304.932937.215480@y5g2000hsa.googlegroups.com>
| <5aoT8#fkHHA.1140@TK2MSFTNGHUB02.phx.gbl>
| NNTP-Posting-Host: 162.40.99.81
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1178726822 19303 127.0.0.1 (9 May 2007
16:07:02 GMT)
| X-Complaints-To: groups-abuse@google.com
| NNTP-Posting-Date: Wed, 9 May 2007 16:07:02 +0000 (UTC)
| In-Reply-To: <5aoT8#fkHHA.1140@TK2MSFTNGHUB02.phx.gbl>
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322; Alexa Toolbar),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@google.com
| Injection-Info: o5g2000hsb.googlegroups.com; posting-host=162.40.99.81;
| posting-account=SptmAw0AAADyhAf5ds6N27aMLeSBOs9C
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!border1.nn
tp.dca.giganews.com!nntp.giganews.com!postnews.google.com!o5g2000hsb.googleg
roups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:35658
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thank you, Terence!
|
| --Jim
|
| On May 9, 1:03 am, v-ter...@online.microsoft.com (Terence Liu [MSFT])
| wrote:
| > Hello Jim,
| >
| > Thank you for posting here.
| >
| > According to your description, I understand that there are many security
| > event logs of 540, 538 aboutsuccessaudits on your SBS. If I have
| > misunderstood the problem, please don't hesitate to let me know.
| >
| > In SBS 2003, the full securityauditis enabled by default so that you are
| > able to monitor the server and network access events if needed. It's
normal
| > that manylogon/logoff events are logged because onelogon/logoff
procedure
| > can generate several events. Thelogon/logoff procedures are always
| > performed by service startup/shutdown, shared file accessing, network
| > accessing, users'logon/logoff etc. Event 540 indicates a
successfullogon;
| > event 538 indicates a successful logoff and event 576 indicates a
| > successful special privilege assign. That do not mean some security
| > problems or some other configuration problems. You may safely ignore
these
| > events.
|
|