Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

MS Windows security auditing

Posted on 2016-11-05
11
Medium Priority
?
63 Views
Last Modified: 2016-11-29
Can someone explain to me what "Microsoft Windows security auditing" is?  I've been having odd moments of machine hanging on me (again); not terrible, but annoying.  I've been watching things with Event Viewer.  I find that for the past week or so, in a seven day period I have as many as 29,000 or more of these security audits. Over 4000 a day.  This must take up some processor time, and perhaps is the source of these hangups.  Regardless, I'd like to know what they are, and why I have so many of them.  I tried to upload the evtx file, but it didn't work (Probably too big.) Thanks for your counsel on this issue.

dan
0
Comment
Question by:Dan Moerman
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 80

Assisted Solution

by:arnold
arnold earned 400 total points (awarded by participants)
ID: 41875701
Security audit deals with making sure what accounts you have that have elevated rights or elevated access.
Same applies to making sure that only the essential services are running on the system/s.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1400 total points (awarded by participants)
ID: 41875813
Auditing is mostly to help you track events for alerting on anomalous activities and also for audit compliance for the log storage requirements.

For example, most use Windows security and system logs to create a security events tracking system, to record and store network activities that are associated with potentially harmful behaviors, and to mitigate those risks.

Indeed it can be noisy if you are going for all audit trails, it needs to be tuned to what is required like cases of logon activities to detect unauthorised attempted etc.

You can find the settings under located under GPO for Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

You will find a number of policies where you can configure either Success or Failure. Account Logon Events audits when other people succeed or fail when attempting to log onto the domain. Logon Events audits when someone succeeds or fails at logging onto the Domain Controller.

Most companies retain their security logs for auditing and historical purposes. Clearing the logs without making a backup could be considered a poor practice depending on what your companies standards are.
You can check out the best practice recommended by Microsoft amd customise as required. Good to get your security team if any to advise as it may be for compliance needs.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
0
 
LVL 57

Expert Comment

by:McKnife
ID: 41876038
Just quote (copy and paste) one of those events so that we know what you are talking about.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Dan Moerman
ID: 41876077
Here is a snip of the Events Viewer, plus, below it, the info from clicking one the top (most recent) itemCapture.JPG
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1400 total points (awarded by participants)
ID: 41876141
For 4672 event, it comes from anything requiring special privileges for logon events. Example include running a scheduled task with administrator privileges logon, an application that has run as administrator, or just logging on with an administrator account, and etc. Ins short, this event lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  

You probably be seeing 4624 (logon) and 4634 (logoff) events for the administrative account too. They are in close proximity to event 4672 for logon events specifically for administrators whom have most of these admin-equivalent rights.  

You should review for it necessity to be so verbose. You will probably just need 4624 and 4634. But what I find strange is why there is so many 4672 and this should be drilled further on root cause - if this happened recently.
0
 

Author Comment

by:Dan Moerman
ID: 41876156
I have looked closer.  What seems to be happening is that I get either a 2-item burst, or a 4-item burst. The two item burst is a 2624 followed by a 4672; a 4-item burst is two 2-item bursts.  I've attached a small group of 16 items in a .evtx file which, I think, should be readable here. Click and see. . .  Well, I can't do it.  the extension is not allowed.  I'm not sure what to do.  I don't understand why I'm getting so many of these things.
0
 
LVL 80

Expert Comment

by:arnold
ID: 41876277
To which account does/do the event/events apply. What are the types indicated?

The attachment portion has a limit of the type (based on suffix .txt, etc.)  that can be attached. or you forgot the attachment.
0
 

Author Comment

by:Dan Moerman
ID: 41877054
Types indicated in the most recent 30 events are these
DANS2014DESKTOP  20
- (NULL)                          3
ANONYMOUS LOGIN   3
SYSTEM                          3

I did include the attachment; an error message advised me that the type (.evtx) was not allowed.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1400 total points (awarded by participants)
ID: 41877206
I would say that this is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. It is also any "super user" account with such privileged right that is logon for any server or applications accounts logging on as a batch job (scheduled task) or system service. IF you see 4624 have login type to be 3 for interactive, it is logon on remotely.  But to see advice
The presence of machine account name most likely corresponds to the "System" account activity. This is normal behavior for the system account. You may or may not want to drop these events depending on how badly you need to save space for logs. System activity can be very important to track because a compromised machine can display anomalous system account activity so the choice is up to you.
0
 

Accepted Solution

by:
Dan Moerman earned 200 total points (awarded by participants)
ID: 41882874
I've independently gotten information suggesting that this issue may be related to a problem in the OS.  I will probably have to refresh or reset Windows 10.  I'll let you know how it goes.

dan
0
 
LVL 65

Expert Comment

by:btan
ID: 41905438
As per advice by author.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question