asked on
Success Audits in event log for username: servername$ is this correct?
I was checking the event logs on the server and I noticed successful security audits for the username: servername$. Hundreds seem to occur everyday and I do not think this is right. the full details are below.....
Successful Network Logon:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x111A2513)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {64d9da07-9e8e-7914-e771-9
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Could someone tell me whether this is correct as I have only ever seen audits for actual usernames in their before i.e administrator or gregd. If this is not correct could someone please tell me how to increase the security?
Thanks in advance
Greg
Successful Network Logon:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x111A2513)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {64d9da07-9e8e-7914-e771-9
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Could someone tell me whether this is correct as I have only ever seen audits for actual usernames in their before i.e administrator or gregd. If this is not correct could someone please tell me how to increase the security?
Thanks in advance
Greg
SBSActive DirectoryWindows Server 2003
Last Comment
snusgubben
ASKER
Is it normal to have so many a day? also just to confirm GLAZERITE01 is the name of the domain controller so should it be logging events authenticating itself?
Thanks
Thanks
How often does it occure in the eventlog? What is the Event number?
It's probably just the discrete communication channel between the computer and the domain that are set, or if the computer need access to recources in the domain (i.e. group policy).
It's probably just the discrete communication channel between the computer and the domain that are set, or if the computer need access to recources in the domain (i.e. group policy).
ASKER
there are a few different events actually.....
Event number: 538
User Logoff:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x14001414)
Logon Type: 3
Event number: 540
Successful Network Logon:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x14001414)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {52d9fb55-eac4-3ab6-fecc-a
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.1
Source Port: 9237
Event number: 576
Special privileges assigned to new logon:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x14001414)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivile
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivileg
The events seem to occur every 15 to 30 seconds.
Thanks
Event number: 538
User Logoff:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x14001414)
Logon Type: 3
Event number: 540
Successful Network Logon:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x14001414)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {52d9fb55-eac4-3ab6-fecc-a
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.1
Source Port: 9237
Event number: 576
Special privileges assigned to new logon:
User Name: GLAZERITE01$
Domain: GLAZERITE-DOM
Logon ID: (0x0,0x14001414)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivile
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivileg
The events seem to occur every 15 to 30 seconds.
Thanks
Seems to me that you are monitoring "privilige use". Can you check to see if it is enabled? See my first post. It's called: "Audit privilege use".
Dunno if u have this set in the "default domain policy" or a local policy.
Dunno if u have this set in the "default domain policy" or a local policy.
ASKER
Ok I have checked the default domain policy where you specified and all the audit policies are set to 'not defined'.
I checked the default domain controller policy and the following is set...
Audit Account logon events: Success
Audit Account Management: Success, Failure
Audit Logon Events: Success, Failure
Audit Policy Change: Success
Audit System Events
The other options are set to 'not defined'. I have just rechecked the log and there has been over 16000 logon/logoff success audits.
I checked the default domain controller policy and the following is set...
Audit Account logon events: Success
Audit Account Management: Success, Failure
Audit Logon Events: Success, Failure
Audit Policy Change: Success
Audit System Events
The other options are set to 'not defined'. I have just rechecked the log and there has been over 16000 logon/logoff success audits.
Do you have IIS or MSSQL installed?
ASKER
yes, but only the versions which come on SBS 2003
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Computer Configuration - Windows settings - Local Policues - Audit Policy:
Audit account logon events - Failure
Audit account management - Success
Audit logon events - Failure