Improve company productivity with a Business Account.Sign Up

x
?
Solved

Looking at the event log - loads of log ons / log offs?  Does that make sense?

Posted on 2008-06-22
2
Medium Priority
?
387 Views
Last Modified: 2013-12-05
on an SBS 2003 R2 box, the boss wanted me to monitor a folder to see if a specific employee was accessing the files overnight.  I enabled auditing any actions for that folder.  looking in the event log, I could see loads of opject access entries for those files during work hours.

But I happened to notice on a day with no access to those files (not sure if he was out with the PC turned on or just didn't use those files), there's loads of logon / logoff envent 540 & 538s within seconds, starting at 4:52 and then ending at 4:55PM.  any thoughts on why there were so many in that short span?
0
Comment
Question by:babaganoosh
2 Comments
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 2000 total points
ID: 21845363
To pass on a fair bit of detail regarding this that I've taken from a similar quesiton on EE, which will help explain -

EventID 540:

This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. For example, mapping a drive to a network share or logging with an account whose profile has a drive mapping would generate this auditing message.

See the Windows Logon Types, Windows Authentication Packages and Windows Logon Processes for information about these fields. Understanding how the logon took place (through what channels) is quite important in understanding this event.

This event may also be reported for builtin accounts. Whenever a user logs in the associated builtin accounts are also logged in. The HelpAssistant account in Windows XP is one such account. Even if the Remote Assistance Service is disabled, the account will still login. This is not a potential security violation as the HelpAssistant account itself is disabled

EventID 538:

This event indicates a user logged off. The corresponding logon event (528) can be found by comparing the <logon id> field.
A logon id (logon identifier or LUID) identifies a logon session. A logon ID is valid until the user logs off. A logon ID is unique while the computer is running; no other logon session will have the same logon ID. However, the set of possible logon IDs is reset when the computer starts up.

A logon id has the following format (0x0, 0x4C37A2) and it is unique for each logon/logoff process.

Events that generate a logoff and their corresponding logon type:
- Interactive logoff will generate logon type 2
- Network logoff will generate logon type 3
- Net use disconnection will generate logon type 3
- Autodisconnect will generate logon type 3

For a list of logon types see the link to the "Windows Logon Types" article.

In many cases, the user listed for this event will be "ANONYMOUS LOGON" from "NT AUTHORITY" domain. This logon is used by processes that use the null session logons (logons that do not require a user/password combination). Any program or service that is using the System user account is in fact logging in with null credentials.
If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials. When the system attempts to access a secured network resource based on NULL credentials, this is referred to as a NULL session. Access is only allowed if the remote machine allows NULL session access. This is configurable through the registry. (See Knowledge Base article M122702 for more information.)
One typical example is a computer that register itself with the Master Browser for that network segment at startup. This registration will generate several logon/logoffs from "ANONYMOUS USER". Since the registration is renewed by default every 12 minutes, such events will occur at regular intervals.


(this is me again now) So can you explain what user is being shown etc? Is it anonymous?

And is the auditing definitely ONLY being carried out on that one folder, and if so, is it a folder that a lot of people will access? :)

Thanks!

Pete
0
 

Author Comment

by:babaganoosh
ID: 21845924
is it anon?  No, it's the user I am watching.  he's loging on / loggging off the network many times within seconds.  I know he's not actualy doing that - does a 538 / 540 get generated every time a file is accessed or some other activity?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question