Solved

MS Windows security auditing

Posted on 2016-11-05
11
38 Views
Last Modified: 2016-11-29
Can someone explain to me what "Microsoft Windows security auditing" is?  I've been having odd moments of machine hanging on me (again); not terrible, but annoying.  I've been watching things with Event Viewer.  I find that for the past week or so, in a seven day period I have as many as 29,000 or more of these security audits. Over 4000 a day.  This must take up some processor time, and perhaps is the source of these hangups.  Regardless, I'd like to know what they are, and why I have so many of them.  I tried to upload the evtx file, but it didn't work (Probably too big.) Thanks for your counsel on this issue.

dan
0
Comment
Question by:Dan Moerman
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 77

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41875701
Security audit deals with making sure what accounts you have that have elevated rights or elevated access.
Same applies to making sure that only the essential services are running on the system/s.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41875813
Auditing is mostly to help you track events for alerting on anomalous activities and also for audit compliance for the log storage requirements.

For example, most use Windows security and system logs to create a security events tracking system, to record and store network activities that are associated with potentially harmful behaviors, and to mitigate those risks.

Indeed it can be noisy if you are going for all audit trails, it needs to be tuned to what is required like cases of logon activities to detect unauthorised attempted etc.

You can find the settings under located under GPO for Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

You will find a number of policies where you can configure either Success or Failure. Account Logon Events audits when other people succeed or fail when attempting to log onto the domain. Logon Events audits when someone succeeds or fails at logging onto the Domain Controller.

Most companies retain their security logs for auditing and historical purposes. Clearing the logs without making a backup could be considered a poor practice depending on what your companies standards are.
You can check out the best practice recommended by Microsoft amd customise as required. Good to get your security team if any to advise as it may be for compliance needs.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41876038
Just quote (copy and paste) one of those events so that we know what you are talking about.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:Dan Moerman
ID: 41876077
Here is a snip of the Events Viewer, plus, below it, the info from clicking one the top (most recent) itemCapture.JPG
0
 
LVL 62

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41876141
For 4672 event, it comes from anything requiring special privileges for logon events. Example include running a scheduled task with administrator privileges logon, an application that has run as administrator, or just logging on with an administrator account, and etc. Ins short, this event lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  

You probably be seeing 4624 (logon) and 4634 (logoff) events for the administrative account too. They are in close proximity to event 4672 for logon events specifically for administrators whom have most of these admin-equivalent rights.  

You should review for it necessity to be so verbose. You will probably just need 4624 and 4634. But what I find strange is why there is so many 4672 and this should be drilled further on root cause - if this happened recently.
0
 

Author Comment

by:Dan Moerman
ID: 41876156
I have looked closer.  What seems to be happening is that I get either a 2-item burst, or a 4-item burst. The two item burst is a 2624 followed by a 4672; a 4-item burst is two 2-item bursts.  I've attached a small group of 16 items in a .evtx file which, I think, should be readable here. Click and see. . .  Well, I can't do it.  the extension is not allowed.  I'm not sure what to do.  I don't understand why I'm getting so many of these things.
0
 
LVL 77

Expert Comment

by:arnold
ID: 41876277
To which account does/do the event/events apply. What are the types indicated?

The attachment portion has a limit of the type (based on suffix .txt, etc.)  that can be attached. or you forgot the attachment.
0
 

Author Comment

by:Dan Moerman
ID: 41877054
Types indicated in the most recent 30 events are these
DANS2014DESKTOP  20
- (NULL)                          3
ANONYMOUS LOGIN   3
SYSTEM                          3

I did include the attachment; an error message advised me that the type (.evtx) was not allowed.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41877206
I would say that this is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. It is also any "super user" account with such privileged right that is logon for any server or applications accounts logging on as a batch job (scheduled task) or system service. IF you see 4624 have login type to be 3 for interactive, it is logon on remotely.  But to see advice
The presence of machine account name most likely corresponds to the "System" account activity. This is normal behavior for the system account. You may or may not want to drop these events depending on how badly you need to save space for logs. System activity can be very important to track because a compromised machine can display anomalous system account activity so the choice is up to you.
0
 

Accepted Solution

by:
Dan Moerman earned 50 total points (awarded by participants)
ID: 41882874
I've independently gotten information suggesting that this issue may be related to a problem in the OS.  I will probably have to refresh or reset Windows 10.  I'll let you know how it goes.

dan
0
 
LVL 62

Expert Comment

by:btan
ID: 41905438
As per advice by author.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 4 58
Win 7 PCs cant connect to RDS server , but Win 10 can 21 91
how to remove .wallet ransomware 8 99
Review of apps API SSL Cert policy 2 21
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question