Solved

MS Windows security auditing

Posted on 2016-11-05
11
46 Views
Last Modified: 2016-11-29
Can someone explain to me what "Microsoft Windows security auditing" is?  I've been having odd moments of machine hanging on me (again); not terrible, but annoying.  I've been watching things with Event Viewer.  I find that for the past week or so, in a seven day period I have as many as 29,000 or more of these security audits. Over 4000 a day.  This must take up some processor time, and perhaps is the source of these hangups.  Regardless, I'd like to know what they are, and why I have so many of them.  I tried to upload the evtx file, but it didn't work (Probably too big.) Thanks for your counsel on this issue.

dan
0
Comment
Question by:Dan Moerman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 79

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41875701
Security audit deals with making sure what accounts you have that have elevated rights or elevated access.
Same applies to making sure that only the essential services are running on the system/s.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41875813
Auditing is mostly to help you track events for alerting on anomalous activities and also for audit compliance for the log storage requirements.

For example, most use Windows security and system logs to create a security events tracking system, to record and store network activities that are associated with potentially harmful behaviors, and to mitigate those risks.

Indeed it can be noisy if you are going for all audit trails, it needs to be tuned to what is required like cases of logon activities to detect unauthorised attempted etc.

You can find the settings under located under GPO for Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

You will find a number of policies where you can configure either Success or Failure. Account Logon Events audits when other people succeed or fail when attempting to log onto the domain. Logon Events audits when someone succeeds or fails at logging onto the Domain Controller.

Most companies retain their security logs for auditing and historical purposes. Clearing the logs without making a backup could be considered a poor practice depending on what your companies standards are.
You can check out the best practice recommended by Microsoft amd customise as required. Good to get your security team if any to advise as it may be for compliance needs.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41876038
Just quote (copy and paste) one of those events so that we know what you are talking about.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:Dan Moerman
ID: 41876077
Here is a snip of the Events Viewer, plus, below it, the info from clicking one the top (most recent) itemCapture.JPG
0
 
LVL 64

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41876141
For 4672 event, it comes from anything requiring special privileges for logon events. Example include running a scheduled task with administrator privileges logon, an application that has run as administrator, or just logging on with an administrator account, and etc. Ins short, this event lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  

You probably be seeing 4624 (logon) and 4634 (logoff) events for the administrative account too. They are in close proximity to event 4672 for logon events specifically for administrators whom have most of these admin-equivalent rights.  

You should review for it necessity to be so verbose. You will probably just need 4624 and 4634. But what I find strange is why there is so many 4672 and this should be drilled further on root cause - if this happened recently.
0
 

Author Comment

by:Dan Moerman
ID: 41876156
I have looked closer.  What seems to be happening is that I get either a 2-item burst, or a 4-item burst. The two item burst is a 2624 followed by a 4672; a 4-item burst is two 2-item bursts.  I've attached a small group of 16 items in a .evtx file which, I think, should be readable here. Click and see. . .  Well, I can't do it.  the extension is not allowed.  I'm not sure what to do.  I don't understand why I'm getting so many of these things.
0
 
LVL 79

Expert Comment

by:arnold
ID: 41876277
To which account does/do the event/events apply. What are the types indicated?

The attachment portion has a limit of the type (based on suffix .txt, etc.)  that can be attached. or you forgot the attachment.
0
 

Author Comment

by:Dan Moerman
ID: 41877054
Types indicated in the most recent 30 events are these
DANS2014DESKTOP  20
- (NULL)                          3
ANONYMOUS LOGIN   3
SYSTEM                          3

I did include the attachment; an error message advised me that the type (.evtx) was not allowed.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41877206
I would say that this is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. It is also any "super user" account with such privileged right that is logon for any server or applications accounts logging on as a batch job (scheduled task) or system service. IF you see 4624 have login type to be 3 for interactive, it is logon on remotely.  But to see advice
The presence of machine account name most likely corresponds to the "System" account activity. This is normal behavior for the system account. You may or may not want to drop these events depending on how badly you need to save space for logs. System activity can be very important to track because a compromised machine can display anomalous system account activity so the choice is up to you.
0
 

Accepted Solution

by:
Dan Moerman earned 50 total points (awarded by participants)
ID: 41882874
I've independently gotten information suggesting that this issue may be related to a problem in the OS.  I will probably have to refresh or reset Windows 10.  I'll let you know how it goes.

dan
0
 
LVL 64

Expert Comment

by:btan
ID: 41905438
As per advice by author.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question