Event IDs 538 and 540 are filling up the Security log

We are running an active directory domain, originally from a Win2k machine, but have recently upgraded to a Win2008 server.  Both domain controllers are on the network, though the Win2k machine will be upgraded as soon as we get the bugs from the new install worked out.

We have a Windows 2003 Server running terminal services that hosts several applications as well as functions as a file server.

I recently added a new Windows XP SP3 workstation to our domain, replacing an older XP machine.

The XP Workstation maps several drives on the Win2003 machine, one for access to the shared files drive, another for access to a shared application running on the machine.  The client on the XP machine accesses databases and other application files via the mapped drive.

Here's the issue:  the user of the new machine is now logging multiple event IDs 538 and 540 per second.  The old machine did not do this, nor do the other XP workstations that access those drives and run the same application client.  Just the new machine.  This machine was added before the Win2008 DC upgrade, and was logging those events then.

What is causing the new XP machine to log all these events?

Here's a sample of the events:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            4/24/2010
Time:            8:04:52 AM
User:            XXX\juno
Computer:      TS
Description:
Successful Network Logon:
       User Name:      juno
       Domain:            XXX
       Logon ID:            (0x0,0xD0F5463)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      
       Logon GUID:      {5a33ce90-179c-633e-f104-5073f41b87dc}
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      x.x.x.2
       Source Port:      4255
and

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            4/24/2010
Time:            8:04:52 AM
User:            XXX\juno
Computer:      TS
Description:
User Logoff:
       User Name:      juno
       Domain:            XXX
       Logon ID:            (0x0,0xD0F5463)
       Logon Type:      3

There were 18 of these for the 8:04:52 AM time stamp.

I have unmapped and remapped the drives.  Even have a batch file that automatically does this at logon.

Any ideas?  Thank you!
ifbmaysvilleAsked:
Who is Participating?
 
ifbmaysvilleAuthor Commented:
I finally found a solution to the "Events 538/540 filling up the security log" issue we were experiencing.

It was an issue with the HP Toolbox associated with an HP scanner installed on the client computer.  The toolbox runs a port resolver every 30 seconds that is "leaky" and caused the 538/540 events to log to the file server the client was mapped to.  Used msconfig to turn off hpbpsttp.exe and any other HP utilities running in the background (user did not use the toolbox anyway).  Rebooted, and the 538/540 events ceased.  

I found the solution here:  http://www.certfaq.com/bb/ftopic26525.html

Thanks!

Jerry S.
0
 
WindowsITAdminCommented:
Hi.
These are auditing events that are configured in the GPO's of the domain. Look probably at the "Default Domain Policy" or any other policy that applies the computers. See in "Computer configuration->Policies->WIndows settings->Security settings->Local policies->Audit policies". Probably you have defined some of them like "Audit account logon events".
I suggest you not to remove it because they are only information that can help you to solve other problems. Simply ignore the events.
They appear in the new XP probably because the SP3 adds some audition features from the first release.

Hope this helps.
0
 
ifbmaysvilleAuthor Commented:
Thanks for the reply.  There has to be something wrong in that the original machine for that user did not log all these events, and none of the other machines mapping to this Win2003 server do either.

Looking at the logs again, the logon/logoffs are enacted by 2 different processes:

Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      XXX01-MV

and

Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      

Notice when Kerberos is the process, the workstation name does not appear.  Both of these processes are used in the same time stamp cycle.

I cannot turn off logging for these events.  We are required to audit them.  It is not easy to ignore, as I have to clear this log about every other day.

The original machine was also running XP SP3, so that should not be the issue, though configuration might be.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
WindowsITAdminCommented:
Well, AD uses Kerberos as the default authentication method but it also supports NTLM. It's very strange that your machine uses the 2 methods...
Look at the local policy settings, if something is configured just disable it.

Hope this helps.
0
 
ifbmaysvilleAuthor Commented:
I'm sorry, your suggestion is confusing.  I am to disable "something" under the local policy settings?  Do you mean anything?  On which machine: the server, the XP machine, or both?  Does not the GPO override local policy settings?  There are 3 groups under "Local Policy" on the Win2003 server:  audit, user rights, and security:  Disable everything?
0
 
WindowsITAdminCommented:
Hello.
Sorry, I suggest to disable anything in the Audit Policies of the client machine, not the server. GPO override the settings if they are configured in the GPO and in the Local Policy but if they are only configured in the local policy then they apply to the user.
If there is nothing configured in Audit Policy in the Local Policy of the client machine i don't know how is it applying to your user.

Hope this helps.
0
 
ifbmaysvilleAuthor Commented:
Here's another observation:  the workstation seems to be continually logging on and off, perhaps when the client tries to access the application files on the server.  If the drives are mapped, why would it need to keep logging on and off?

Side note:  auditing was configured on the previous machine, and is configured on all the other machines that access this server, yet this new machine is the only one that is continually logging on and off, filling up the security log.
0
 
ifbmaysvilleAuthor Commented:
Tried removing the machine from the domain, then rejoining.  This also did not work.  Still filling the security log with 538 and 540 events.
0
 
ifbmaysvilleAuthor Commented:
Still working on this issue.  Looking at the logs again, I thought perhaps the machine was logging on as a local user on the client machine.  I went to the client machine and deleted all local user accounts, save for admin.  This did not affect users as they login w/ domain accounts.  Unfortunately, this did not work either.

I suppose if there are no more suggestions, deleting the question would be fine, as a solution was not found.  May resubmit later.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.