Solved

MS Windows security auditing

Posted on 2016-11-05
11
41 Views
Last Modified: 2016-11-29
Can someone explain to me what "Microsoft Windows security auditing" is?  I've been having odd moments of machine hanging on me (again); not terrible, but annoying.  I've been watching things with Event Viewer.  I find that for the past week or so, in a seven day period I have as many as 29,000 or more of these security audits. Over 4000 a day.  This must take up some processor time, and perhaps is the source of these hangups.  Regardless, I'd like to know what they are, and why I have so many of them.  I tried to upload the evtx file, but it didn't work (Probably too big.) Thanks for your counsel on this issue.

dan
0
Comment
Question by:Dan Moerman
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 77

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41875701
Security audit deals with making sure what accounts you have that have elevated rights or elevated access.
Same applies to making sure that only the essential services are running on the system/s.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41875813
Auditing is mostly to help you track events for alerting on anomalous activities and also for audit compliance for the log storage requirements.

For example, most use Windows security and system logs to create a security events tracking system, to record and store network activities that are associated with potentially harmful behaviors, and to mitigate those risks.

Indeed it can be noisy if you are going for all audit trails, it needs to be tuned to what is required like cases of logon activities to detect unauthorised attempted etc.

You can find the settings under located under GPO for Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

You will find a number of policies where you can configure either Success or Failure. Account Logon Events audits when other people succeed or fail when attempting to log onto the domain. Logon Events audits when someone succeeds or fails at logging onto the Domain Controller.

Most companies retain their security logs for auditing and historical purposes. Clearing the logs without making a backup could be considered a poor practice depending on what your companies standards are.
You can check out the best practice recommended by Microsoft amd customise as required. Good to get your security team if any to advise as it may be for compliance needs.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41876038
Just quote (copy and paste) one of those events so that we know what you are talking about.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:Dan Moerman
ID: 41876077
Here is a snip of the Events Viewer, plus, below it, the info from clicking one the top (most recent) itemCapture.JPG
0
 
LVL 63

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41876141
For 4672 event, it comes from anything requiring special privileges for logon events. Example include running a scheduled task with administrator privileges logon, an application that has run as administrator, or just logging on with an administrator account, and etc. Ins short, this event lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  

You probably be seeing 4624 (logon) and 4634 (logoff) events for the administrative account too. They are in close proximity to event 4672 for logon events specifically for administrators whom have most of these admin-equivalent rights.  

You should review for it necessity to be so verbose. You will probably just need 4624 and 4634. But what I find strange is why there is so many 4672 and this should be drilled further on root cause - if this happened recently.
0
 

Author Comment

by:Dan Moerman
ID: 41876156
I have looked closer.  What seems to be happening is that I get either a 2-item burst, or a 4-item burst. The two item burst is a 2624 followed by a 4672; a 4-item burst is two 2-item bursts.  I've attached a small group of 16 items in a .evtx file which, I think, should be readable here. Click and see. . .  Well, I can't do it.  the extension is not allowed.  I'm not sure what to do.  I don't understand why I'm getting so many of these things.
0
 
LVL 77

Expert Comment

by:arnold
ID: 41876277
To which account does/do the event/events apply. What are the types indicated?

The attachment portion has a limit of the type (based on suffix .txt, etc.)  that can be attached. or you forgot the attachment.
0
 

Author Comment

by:Dan Moerman
ID: 41877054
Types indicated in the most recent 30 events are these
DANS2014DESKTOP  20
- (NULL)                          3
ANONYMOUS LOGIN   3
SYSTEM                          3

I did include the attachment; an error message advised me that the type (.evtx) was not allowed.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41877206
I would say that this is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. It is also any "super user" account with such privileged right that is logon for any server or applications accounts logging on as a batch job (scheduled task) or system service. IF you see 4624 have login type to be 3 for interactive, it is logon on remotely.  But to see advice
The presence of machine account name most likely corresponds to the "System" account activity. This is normal behavior for the system account. You may or may not want to drop these events depending on how badly you need to save space for logs. System activity can be very important to track because a compromised machine can display anomalous system account activity so the choice is up to you.
0
 

Accepted Solution

by:
Dan Moerman earned 50 total points (awarded by participants)
ID: 41882874
I've independently gotten information suggesting that this issue may be related to a problem in the OS.  I will probably have to refresh or reset Windows 10.  I'll let you know how it goes.

dan
0
 
LVL 63

Expert Comment

by:btan
ID: 41905438
As per advice by author.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Soundcloud.com 4 44
Malwarebytes keeps blocking this..... 6 44
Review of a VPN cert policy 4 43
Windows 7 Networking - Public vs. Work vs Public 8 35
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question