Solved

Looking at the event log - loads of log ons / log offs?  Does that make sense?

Posted on 2008-06-22
2
333 Views
Last Modified: 2013-12-05
on an SBS 2003 R2 box, the boss wanted me to monitor a folder to see if a specific employee was accessing the files overnight.  I enabled auditing any actions for that folder.  looking in the event log, I could see loads of opject access entries for those files during work hours.

But I happened to notice on a day with no access to those files (not sure if he was out with the PC turned on or just didn't use those files), there's loads of logon / logoff envent 540 & 538s within seconds, starting at 4:52 and then ending at 4:55PM.  any thoughts on why there were so many in that short span?
0
Comment
Question by:babaganoosh
2 Comments
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 500 total points
ID: 21845363
To pass on a fair bit of detail regarding this that I've taken from a similar quesiton on EE, which will help explain -

EventID 540:

This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. For example, mapping a drive to a network share or logging with an account whose profile has a drive mapping would generate this auditing message.

See the Windows Logon Types, Windows Authentication Packages and Windows Logon Processes for information about these fields. Understanding how the logon took place (through what channels) is quite important in understanding this event.

This event may also be reported for builtin accounts. Whenever a user logs in the associated builtin accounts are also logged in. The HelpAssistant account in Windows XP is one such account. Even if the Remote Assistance Service is disabled, the account will still login. This is not a potential security violation as the HelpAssistant account itself is disabled

EventID 538:

This event indicates a user logged off. The corresponding logon event (528) can be found by comparing the <logon id> field.
A logon id (logon identifier or LUID) identifies a logon session. A logon ID is valid until the user logs off. A logon ID is unique while the computer is running; no other logon session will have the same logon ID. However, the set of possible logon IDs is reset when the computer starts up.

A logon id has the following format (0x0, 0x4C37A2) and it is unique for each logon/logoff process.

Events that generate a logoff and their corresponding logon type:
- Interactive logoff will generate logon type 2
- Network logoff will generate logon type 3
- Net use disconnection will generate logon type 3
- Autodisconnect will generate logon type 3

For a list of logon types see the link to the "Windows Logon Types" article.

In many cases, the user listed for this event will be "ANONYMOUS LOGON" from "NT AUTHORITY" domain. This logon is used by processes that use the null session logons (logons that do not require a user/password combination). Any program or service that is using the System user account is in fact logging in with null credentials.
If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials. When the system attempts to access a secured network resource based on NULL credentials, this is referred to as a NULL session. Access is only allowed if the remote machine allows NULL session access. This is configurable through the registry. (See Knowledge Base article M122702 for more information.)
One typical example is a computer that register itself with the Master Browser for that network segment at startup. This registration will generate several logon/logoffs from "ANONYMOUS USER". Since the registration is renewed by default every 12 minutes, such events will occur at regular intervals.


(this is me again now) So can you explain what user is being shown etc? Is it anonymous?

And is the auditing definitely ONLY being carried out on that one folder, and if so, is it a folder that a lot of people will access? :)

Thanks!

Pete
0
 

Author Comment

by:babaganoosh
ID: 21845924
is it anon?  No, it's the user I am watching.  he's loging on / loggging off the network many times within seconds.  I know he's not actualy doing that - does a 538 / 540 get generated every time a file is accessed or some other activity?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now