windows security auditing events 4624 4625 4634 type 3 continually appear in logs for any user

At any time of day or night, the Windows Security Auditing events 4624, 4625, and 4634 (logon/failure/logoff) appear in the logs.  They are all type 3 (network) attempts and approximately 8 message of each type appear within the same micro second every second for different users.  Does anyone know if this is expected Windows AD behaviour?  I don't want to disable auditing these Windows Security events so I don't lose the detail of any malicious activity.
thanks,
Wes
WesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Can you post samples of log entries?
0
Jackie ManCommented:
http://m.windowsecurity.com/articles-tutorials/misc_network_security/Logon-Types.html

From the above link, it says:

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)

Are the audit log taken from server or workstation?

It may be normal as the network connection is disconnected when the workstation has been idle for a long time during the night time, the workstation will try to access the network share.
0
btanExec ConsultantCommented:
4624 - Successful logon: A user successfully logged on to a computer.
4625 - Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. For Windows 2008 and above, event ID 4625 logs every failed logon attempt with failure status code regardless of logon type or type of account.
4634 - The logoff process was completed for a user.

For logon type 3, one of the most common sources is connections to shared folders or printers. Other over-the-network logons can be tagged as logon type 3 too esp for systems being web server like IIS ... but in general, if both account logon and logon/logoff audit policy categories enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and generate an account logon event on the domain controller. It should be expected, there can be factors such as  

- Fake "Anomalous" events such as No Account Logoff authentication event on the domain controller and user can close session for the day in many different ways such as putting it to sleep, turn it off, system crash etc.

- Fake "Anomalous" events such as some logoff events are logged much later than the time at which they actually occur.  This may happens if a user turns off his/her computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, if the computer is shut down or loses network connectivity it may not record a logoff event at all.

- True "Anomalous" events where you need to also correlate the log with other events such as shutdown time, startup time, unlock time etc to determine effective login session. Logon types in those events determines the unlocks, interactive logons, locks etc. such as type 7 logout event is lock, type 7 login is unlock. This help to ascertain if it is norm.

Regards it is better to benchmark against the norm you seem for a few days as it may also dur to changes to the machine which is doing new updates, mapping to network drive, services backing up based on scheduled task etc....tough to say it is false or true positive of attacks ...
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

WesAuthor Commented:
Most of the 4625 events are to the Print1 server, here is an example out of 594 separate attempts within a 4 hour period.

%NICWIN-4-Security_4625_Microsoft-Windows-Security-Auditing: Security,rn=570338369 cid=0x00003100 eid=0x00001211,Fri Nov 20 15:55:27 2015,4625,Microsoft-Windows-Security-Auditing,None,Failure Audit,Print1.xxxxx.xxx,Logon,,An account failed to log on.  Subject:  Security ID:  /NULL SID   Account Name:  -   Account Domain:  -   Logon ID:  0x0   Logon Type:   3   Account For Which Logon Failed:  Security ID:  /NULL SID   Account Name:  xxxxxxxx   Account Domain:  xxxxx   Failure Information:  Failure Reason:  An Error occured during Logon.   Status:   0xc00002ee   Sub Status:  0x0   Process Information:  Caller Process ID: 0x0   Caller Process Name: -   Network Information:  Workstation Name: -   Source Network Address: -   Source Port:  -   Detailed Authentication Information:  Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0   This event is generated when a logon request fails. It is generated on the computer where access was attempted.  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).  The Process Information fields indicate which account and process on the system requested the logon.  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The authentication information fields provide detailed information about this specific logon request.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length i
0
btanExec ConsultantCommented:
wondering if there are some shared (smb based) printer drive that the permission is insufficient hence failed logon. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. I'm thinking Windows Workgroup logons, printer and file sharing. In the past, I see machine connected to the "Home network" will attempt and logon to each other for their respective WorkGroup. They are not in domain and most of the time machine, it needs accounts and passwords setup on each machine.
0
btanExec ConsultantCommented:
Proposed that the question can be addressed based on the common printer shares that is not domain joined hence leadings to strings of unnecesary security events.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Provided common cause for the events observed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.