July 24, 2008 02:05am pdt

1. KCTS 79,109
2. Phil_Agc... 63,250
3. toniur 59,124
4. rpggamer... 44,134
5. oBdA 41,957
6. martin_b... 35,705
7. tigermatt 30,877
8. johnb6767 28,442
9. CoccoBill 27,600
10. McKnife 27,518
11. snoopfrogg 26,481
12. LauraEHu... 23,900
13. richrumble 22,937
14. r-k 22,620
15. bbao 22,112

1. richrumble 645,479
2. r-k 424,480
3. Sheharya... 351,468
4. trywaredk 297,335
5. oBdA 292,082
6. war1 284,964
7. gidds99 266,792
8. rpggamer... 241,053
9. Phil_Agc... 238,650
10. sirbounty 191,193
11. KCTS 165,040
12. toniur 164,106
13. CoccoBill 161,666
14. PeteLong 156,654
15. sunray_2003 146,627

11.01.2006 at 02:43AM PST, ID: 22044926

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.0

Security Success Audit - Event ID 680

Zone: Windows Network Security Questions

Tags: event, 680, id

Hi,

I'm seeing recurring success audits in the security logs on our DC from a number of computers on our network.
The reason i'm curious about this is because a number of them happen out of hours when the user is not onsite.
Some of the users do access their PCs from home but the audits do not correspond to these times.
On one particular user, this log may show up 20 times or so during the night.
What would be the main reason(s) for this type of audit?

Category: Account Logon
Type: Success Audit
Event ID: 680
User: SNN\Bill

Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:      Bill
Source Workstation:      HR01
Error Code:      0x0

Any help is appreciated.

Thanks in advance,
wl

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: windylad

Solution Provided By: richrumble

Participating Experts: 4

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

11.01.2006 at 03:00AM PST, ID: 17848580

Rank: Master

McKnife:

It's Bill Gates, he is said to be doing wga-checks manually, left bored at home while his wife is on cocktailparties. :))

http://support.microsoft.com/kb/305822 - what OS and servicepack are the clients running?

11.01.2006 at 06:00AM PST, ID: 17849385

Rank: Sage

richrumble:

http://www.ultimatewindowssecurity.com/events/com304.html http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx#EVE
Are there other event ID's around the same time pertaining to this PC? Perhaps there is a scheduled task on this PC?
http://www.windowsecurity.com/articles/Deciphering-Authentication-Events-Domain-Controllers.html
NTLM yields an authentication event whenever a user logs on to a computer interactively or over the network. For instance, imagine a user logs on to his NT workstation with a domain account and then uses a share folder on server A and server B. On whichever domain controller(s) that handles those authentication requests youll see a total of 3 event ID 680s one for the interactive workstation logon and 2 for the network logon at server A and server B.
-rich

Accepted Solution

11.02.2006 at 06:02AM PST, ID: 17857977

windylad:

Thanks for your help McKnife, the Client PCs are XPSP2 and DC is win server 2003

Thanks for your help also richrumple, i have a better understanding of this now.
I'm trying to figure out why why no reply came from the DC via the kerberos protocol (with the help of your last link) - any further ideas?

It seems however that when this event (680) occurs, the users have left the computer 'locked' instead of logged off - this appears to be a factor.
We do have group policy and wsus set up and now, scheduled tasks (the problem was present before we set up the tasks)
Any other reasons Why these account logon auths above be happening out of hours? I did see one event id 612 (Audit Policy change) on a client PC out of hours so, Would all of this be just because of an automatic gpupdate? Although the times do not match up.

To answer your first question:
On the security logs on the server, there are Success audits before and afterwards for many machines on the network
(Event IDs 673 and 674 as shown below)
The user on this is SYSTEM and not the users login ID so i wasn't too worried about this at the time.
__________
EventID: 673
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01

Service Ticket Request:
     User Name:            SNN06$@SNN.LOC
     User Domain:            SNN.LOC
     Service Name:            SNN01$
     Service ID:            SNN\SNN01$
     Ticket Options:            0x40810000
     Ticket Encryption Type:      0x17
     Client Address:            192.168.1.216
     Failure Code:            -
     Logon GUID:            {448f8589-4940-4d55-70c5-63ff742de829}
     Transited Services:      -
__________
EventID: 674
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01

Service Ticket Renewed:
     User Name:      MARKETING02$@SNN.LOC
     User Domain:      SNN.LOC
     Service Name:      krbtgt
     Service ID:      SNN\krbtgt
     Ticket Options:      0x2
     Ticket Encryption Type:      0x17
     Client Address:      192.168.1.48
__________
While we're here, are these particular logons kerberos logons so?

Also, this may not be related but within a minute after event 680 on the server, there are Application and System events on the client PC itself:
App error: event 1030 (Windows cannot query for the list of Group Policy objects. A nessage that describes the reason for this was previously logged by the policy engine). I looked back and saw event 1058 (Amoungst others) that suggested that a file (gpt.ini) in the Default Domain Policy folder could not be accessed.
Sys warn: event 40961 The Security System could not establish a secured connection with the server ldap/SNN01.snn.loc@snn.loc. No authentication protocol was available.

Sorry for the long winded reply!

Thanks again in Advance,
windylad

11.02.2006 at 06:19AM PST, ID: 17858084

Rank: Sage

richrumble:

NTLM/LM authentication is used for printer and network share connections, Kerberos is only used for domain login, like unlocking the pc and or signing into the pc initially. When you connect to a network share, access files/folders on that share NTLM/LM auth is used.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx ( I don't agree with this papers contentions about ntlm/lm being used in an all AD envronment, I've got a test lab that is all 2003 servers, nothing else, and ntlm is defiantly still used by default, I'm sure I can change it to just kerb...)

http://www.eventid.net/ might help you better understand some of what's going on.
-rich

12.23.2007 at 02:17AM PST, ID: 20521034

ChiefIT:

You may want to look up the event ID as rich suggested.

example this event 673 produced a sheduled task for kerburos to check out S4U:

http://support.microsoft.com/kb/824905

Assisted Solution

03.06.2008 at 06:47AM PST, ID: 21060612

Tolomir:

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup topic area:
Split: richrumble {http:#17849385} & ChiefIT {http:#20521034}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer

Computer101

03.10.2008 at 04:34PM PDT, ID: 21091577

Forced accept.

Computer101
EE Admin

20080716-EE-VQP-33