[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

token leak?

Posted on 2007-04-09
11
Medium Priority
?
866 Views
Last Modified: 2008-04-19
We have a Windows 2003 domain with about 85 XP SP2 workstations. One of the member servers is getting thousands of Security log entries every hour from about 6 user logons. This server is a file server with internal sharepoints, a third-party, SQL Server-based database, and works as the TrendMicro central computer. We are using the default security audit settings. The seurity log is set for 16mb and and presently only holds the last 24-36 hours of activity. We don't want to turn off security logging. How do we track down and turn off this activitiy?

The Event IDS are 538, 576, and 540.  We suspect some kind of Kerberos "token leak".  Anyone have a clue?
0
Comment
Question by:Barnabus2006
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 18877878
Doesn't SQL Server authenticate (or something like that) every 10 seconds - by default?

I would review the actual 'Audit' settings and decide if some of them can't be eliminated.

You can also increase the size of your Security log beyond 16 MB - but that will just give you lots more room to store (possibly) unneeded events.

Vic
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18877972
                Hi Barnabus2006
                  Yes this is a Token leak issue. And the reason is TrendMicro. In my opinion, only way is setting auditing policy not to audit these actions.
0
 
LVL 32

Expert Comment

by:and235100
ID: 18878493
This could be it (at least for the 576 events)

http://support.microsoft.com/kb/887814/

But this hotfix was supposedly included in SP1 for 2003 - are you at SP1?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Barnabus2006
ID: 18886964
Hmmm...
    We are at WS2003 SP1.  Microsoft forums talk about fixing token leaks all the time via hot fixes and especially service packs.  We may see some relief with the recent release of SP2, however, we aren't ready to install that.
    Trend certainly could be the culprit, however, why then would only 6 of the workstations have the issue?
    SQL may be part of the issue, however, these 6 users fill the event log without manually or automatically starting any SQL processes.
0
 
LVL 1

Accepted Solution

by:
karensox earned 1000 total points
ID: 18902892
Possible solution, though it seems way off beam...

I had this problem and found that, in part, it was due to the HP Toolbox that was installed on some of the users pc's.   (Which gels with yours only coming from 6 users).

Background:
If you want to be able to get a scan from the HP multifunction directly from your desktop then you need to install the full (over)blown HP Toolbox - which includes TomCat (hpbpsttp.exe). Then, every 30 seconds TomCat runs a port resolver (hpbpro.exe) which then can add up to 28 entries in 1 second for each of the users that has the HP Toolbox installed... just brilliant :-\ Apparently the port resolver below version 1.05 is leaky and causes these sort of issues (incl. chewing cpu, memory). The latest is version 2.0.45 but just try getting hold of it... don't even bother with hpbprofix.exe as it still installs a leaky older version of the module.

Solution:
If your users only want the software installed so they can scan, then remove the TomCat entry from the Run branch of the LM registry. (Obviously you'll need to log out then back in again to stop the app after removing it from registy.) The only thing they won't be able to do is run the HP Toolbox which is a web interface to the printer and fax capabilities.

Notes:
• HP Toolbox app (hpbpsttp.exe) may not appear in your Task Manager - it didn't on any of my client boxes.
• hpbpro.exe only appears for a split second every 30 seconds in Task Manager - screen shot when you see the flicker to confirm (on client box).

**
So now I have stopped all the extra authentications from domain users, but am still left with the problem that the SYSTEM user is logging multiple 538/540/576 entries. Aaarrgghh!

~Karen
0
 

Author Comment

by:Barnabus2006
ID: 18908496
karensox:
We'll take a look at that. If not HP is may be a similar third-party issue.
0
 
LVL 38

Expert Comment

by:younghv
ID: 18909366
karensox - interesting idea.
I got so fed up with all the HP "Full Function/Feature" baloney that I finally downloaded just the "Basic Print and Scan Drivers" and just loaded that.
It got rid of all the misc junk and now runs fine.

Vic
0
 
LVL 32

Expert Comment

by:and235100
ID: 18910385
My personal bugbear is not HP software on 2003 - but Brother software...

(but that is another story!)
0
 
LVL 38

Expert Comment

by:younghv
ID: 18911263
... Oh, brother!
0
 

Author Comment

by:Barnabus2006
ID: 19015517
Karensox
THANKS!!!  You weren't way off beam (gymnast are you?).
We removed and reloaded the HP 1010 software.  A custom reload allowed us to skip installing anything but driver-related functionality.  We tried removing the Tomcast web service fromt the registry RUN key.  It worked but we chose the more "elegant" solution of a clean reinstall.
0
 
LVL 38

Expert Comment

by:younghv
ID: 19016307
Karensox - way to go!

Welcome to E-E and hurry up and get your 10,000 points.
It is even more fun when you can ask all the questions you want for free.

Vic
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question