Solved

MS Windows security auditing

Posted on 2016-11-05
11
33 Views
Last Modified: 2016-11-29
Can someone explain to me what "Microsoft Windows security auditing" is?  I've been having odd moments of machine hanging on me (again); not terrible, but annoying.  I've been watching things with Event Viewer.  I find that for the past week or so, in a seven day period I have as many as 29,000 or more of these security audits. Over 4000 a day.  This must take up some processor time, and perhaps is the source of these hangups.  Regardless, I'd like to know what they are, and why I have so many of them.  I tried to upload the evtx file, but it didn't work (Probably too big.) Thanks for your counsel on this issue.

dan
0
Comment
Question by:Dan Moerman
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 76

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41875701
Security audit deals with making sure what accounts you have that have elevated rights or elevated access.
Same applies to making sure that only the essential services are running on the system/s.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41875813
Auditing is mostly to help you track events for alerting on anomalous activities and also for audit compliance for the log storage requirements.

For example, most use Windows security and system logs to create a security events tracking system, to record and store network activities that are associated with potentially harmful behaviors, and to mitigate those risks.

Indeed it can be noisy if you are going for all audit trails, it needs to be tuned to what is required like cases of logon activities to detect unauthorised attempted etc.

You can find the settings under located under GPO for Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

You will find a number of policies where you can configure either Success or Failure. Account Logon Events audits when other people succeed or fail when attempting to log onto the domain. Logon Events audits when someone succeeds or fails at logging onto the Domain Controller.

Most companies retain their security logs for auditing and historical purposes. Clearing the logs without making a backup could be considered a poor practice depending on what your companies standards are.
You can check out the best practice recommended by Microsoft amd customise as required. Good to get your security team if any to advise as it may be for compliance needs.

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41876038
Just quote (copy and paste) one of those events so that we know what you are talking about.
0
 

Author Comment

by:Dan Moerman
ID: 41876077
Here is a snip of the Events Viewer, plus, below it, the info from clicking one the top (most recent) itemCapture.JPG
0
 
LVL 61

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41876141
For 4672 event, it comes from anything requiring special privileges for logon events. Example include running a scheduled task with administrator privileges logon, an application that has run as administrator, or just logging on with an administrator account, and etc. Ins short, this event lets you know whenever an account assigned any "administrator equivalent" user rights logs on.  

You probably be seeing 4624 (logon) and 4634 (logoff) events for the administrative account too. They are in close proximity to event 4672 for logon events specifically for administrators whom have most of these admin-equivalent rights.  

You should review for it necessity to be so verbose. You will probably just need 4624 and 4634. But what I find strange is why there is so many 4672 and this should be drilled further on root cause - if this happened recently.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:Dan Moerman
ID: 41876156
I have looked closer.  What seems to be happening is that I get either a 2-item burst, or a 4-item burst. The two item burst is a 2624 followed by a 4672; a 4-item burst is two 2-item bursts.  I've attached a small group of 16 items in a .evtx file which, I think, should be readable here. Click and see. . .  Well, I can't do it.  the extension is not allowed.  I'm not sure what to do.  I don't understand why I'm getting so many of these things.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41876277
To which account does/do the event/events apply. What are the types indicated?

The attachment portion has a limit of the type (based on suffix .txt, etc.)  that can be attached. or you forgot the attachment.
0
 

Author Comment

by:Dan Moerman
ID: 41877054
Types indicated in the most recent 30 events are these
DANS2014DESKTOP  20
- (NULL)                          3
ANONYMOUS LOGIN   3
SYSTEM                          3

I did include the attachment; an error message advised me that the type (.evtx) was not allowed.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 350 total points (awarded by participants)
ID: 41877206
I would say that this is due to SYSTEM account which every couple of seconds try to logon. It is perfectly normal. It is also any "super user" account with such privileged right that is logon for any server or applications accounts logging on as a batch job (scheduled task) or system service. IF you see 4624 have login type to be 3 for interactive, it is logon on remotely.  But to see advice
The presence of machine account name most likely corresponds to the "System" account activity. This is normal behavior for the system account. You may or may not want to drop these events depending on how badly you need to save space for logs. System activity can be very important to track because a compromised machine can display anomalous system account activity so the choice is up to you.
0
 

Accepted Solution

by:
Dan Moerman earned 50 total points (awarded by participants)
ID: 41882874
I've independently gotten information suggesting that this issue may be related to a problem in the OS.  I will probably have to refresh or reset Windows 10.  I'll let you know how it goes.

dan
0
 
LVL 61

Expert Comment

by:btan
ID: 41905438
As per advice by author.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now