Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Security Success Audit - Event ID 680

Posted on 2006-11-01
7
Medium Priority
?
8,062 Views
Last Modified: 2013-12-04
Hi,

I'm seeing recurring success audits in the security logs on our DC from a number of computers on our network.
The reason i'm curious about this is because a number of them happen out of hours when the user is not onsite.
Some of the users do access their PCs from home but the audits do not correspond to these times.
On one particular user, this log may show up 20 times or so during the night.
What would be the main reason(s) for this type of audit?

Category: Account Logon
Type: Success Audit
Event ID: 680
User: SNN\Bill

Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Bill
 Source Workstation:      HR01
 Error Code:      0x0

Any help is appreciated.

Thanks in advance,
wl
0
Comment
Question by:windylad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 17848580
It's Bill Gates, he is said to be doing wga-checks manually, left bored at home while his wife is on cocktailparties. :))

http://support.microsoft.com/kb/305822 - what OS and servicepack are the clients running?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17849385
http://www.ultimatewindowssecurity.com/events/com304.html  http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx#EVE
Are there other event ID's around the same time pertaining to this PC?  Perhaps there is a scheduled task on this PC?
http://www.windowsecurity.com/articles/Deciphering-Authentication-Events-Domain-Controllers.html
NTLM yields an authentication event whenever a user logs on to a computer interactively or over the network. For instance, imagine a user logs on to his NT workstation with a domain account and then uses a share folder on server A and server B. On whichever domain controller(s) that handles those authentication requests you’ll see a total of 3 event ID 680s – one for the interactive workstation logon and 2 for the network logon at server A and server B.
-rich
0
 

Author Comment

by:windylad
ID: 17857977
Thanks for your help McKnife, the Client PCs are XPSP2 and DC is win server 2003

Thanks for your help also richrumple, i have a better understanding of this now.
I'm trying to figure out why why no reply came from the DC via the kerberos protocol (with the help of your last link) - any further ideas?

It seems however that when this event (680) occurs, the users have left the computer 'locked' instead of logged off - this appears to be a factor.
We do have group policy and wsus set up and now, scheduled tasks (the problem was present before we set up the tasks)
Any other reasons Why these account logon auths above be happening out of hours? I did see one event id 612 (Audit Policy change) on a client PC out of hours so, Would all of this be just because of an automatic gpupdate? Although the times do not match up.

To answer your first question:
On the security logs on the server, there are Success audits before and afterwards for many machines on the network
(Event IDs 673 and 674 as shown below)
The user on this is SYSTEM and not the users login ID so i wasn't too worried about this at the time.
__________
EventID: 673
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01

Service Ticket Request:
       User Name:            SNN06$@SNN.LOC
       User Domain:            SNN.LOC
       Service Name:            SNN01$
       Service ID:            SNN\SNN01$
       Ticket Options:            0x40810000
       Ticket Encryption Type:      0x17
       Client Address:            192.168.1.216
       Failure Code:            -
       Logon GUID:            {448f8589-4940-4d55-70c5-63ff742de829}
       Transited Services:      -
__________
EventID: 674
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01

Service Ticket Renewed:
       User Name:      MARKETING02$@SNN.LOC
       User Domain:      SNN.LOC
       Service Name:      krbtgt
       Service ID:      SNN\krbtgt
       Ticket Options:      0x2
       Ticket Encryption Type:      0x17
       Client Address:      192.168.1.48
__________
While we're here, are these particular logons kerberos logons so?


Also, this may not be related but within a minute after event 680 on the server, there are Application and System events on the client PC itself:
App error: event 1030 (Windows cannot query for the list of Group Policy objects. A nessage that describes the reason for this was previously logged by the policy engine). I looked back and saw event 1058 (Amoungst others) that suggested that a file (gpt.ini) in the Default Domain Policy folder could not be accessed.
Sys warn: event 40961 The Security System could not establish a secured connection with the server ldap/SNN01.snn.loc@snn.loc. No authentication protocol was available.

Sorry for the long winded reply!

Thanks again in Advance,
windylad
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17858084
NTLM/LM authentication is used for printer and network share connections, Kerberos is only used for domain login, like unlocking the pc and or signing into the pc initially. When you connect to a network share, access files/folders on that share NTLM/LM auth is used.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx ( I don't agree with this papers contentions about ntlm/lm being used in an all AD envronment, I've got a test lab that is all 2003 servers, nothing else, and ntlm is defiantly still used by default, I'm sure I can change it to just kerb...)

http://www.eventid.net/ might help you better understand some of what's going on.
-rich
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 500 total points
ID: 20521034
You may want to look up the event ID as rich suggested.

example this event 673 produced a sheduled task for kerburos to check out S4U:

http://support.microsoft.com/kb/824905
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21091577
Forced accept.

Computer101
EE Admin
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question