I have a Windows 2003 server acting as domian controller on a small (7
PC) office network.
Things seem to be working OK, but in my Event Viewer Security log, I
find constant Success Audits where the machines in my network are
doing Logon/Logoff and Privilege Use. These are happening many times
per minute and I am concerned that something may be amiss.
It usually seems to be Logon/Logoff EventID 540, the Privilege use
#576, then Logon/Logoff #538, like so:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Successful Network Logon:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51B45)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {09dc05ac-b256-11bc-da59-4245b06f1711}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.200
Source Port: 3957
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
Special privileges assigned to new logon:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51B45)
Privileges: SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 7/3/2004
Time: 1:39:54 PM
User: NT AUTHORITY\SYSTEM
Computer: MEDTEKSERVER
Description:
User Logoff:
User Name: MEDTEKSERVER$
Domain: MEDTEK
Logon ID: (0x0,0x19D51AF8)
Logon Type: 3
Is this stuff normal? Is my auditing set too high? Any help would be
muchly appreciated.
Ed
|
Similar Threads
Linear Mode
