Hello,
Does anyone know if on a 2003 Server system running as a Domain Controller (DC) if when users on the network login and authenticate with the DC are those entries added to the 2003 Server's Security Event logs(SecEvent.EVT)? Or is the SecEvent.Evt entries strictly for login's to the 2003 server itself?
Thanks,
How about an it depends? All successful logons are Event ID 528 entries in the security log, if auditing is turned on and you are auditing successful logons. Unsuccessful logons have various event ids which categorize the type of logon failure.
Event ID 528 entries list the
user name
domain
logon id
logon type
logon process
authenication package
workstation nameThe types of successful logon types
Type 2 Console logon - interactive from the computer console
Type 3 Network logon - network mapping (net use/net view)
Type 4 Batch logon - scheduler
Type 5 Service logon - service uses an account
Type 7 Unlock WorkstationThe unsuccessful logon events are
Event ID 529 Unknown user name or bad password
Event ID 530 Logon time restriction violation
Event ID 531 Account disabled
Event ID 532 Account expired
Event ID 533 Workstation restriction - not allowed to logon at this computer
Event ID 534 Inadequate rights - as in user account attempting console login to server
Event ID 535 Password expired
Event ID 536 NetLogon service down
Event ID 537 unexpected error - the who knows ??? factor
Event ID 539 Logon Failure Account locked out
Event ID 627 NT AUTHORITY\ANONYMOUS is trying to change a password
Event ID 644 User account Locked out
Event ID 538 is not an unsuccessful event but rather a successful logoff.
Event ID 540 is not an unsuccessful event but rather a successful network logon as in mapping a network drive.
Do you have access to the event log? Just filter it for the login events Bithead mentions and the look at the accounts generating the events, it should become fairly obvious if the domain accounts are also in there.
Thanks all, will look into that. Yes I do have access to the *.evt files. Here is another question. In the SAM file under the only account (admin) it shows that the number of logins equals zero. Yet there are many 540 and 538 event ID's in the SecEvent.evt log. I would assume that the SAM file where it says that the admin has never logged in is b/c the SAM file is only logging local access to the system and not remote.
Thanks,
Hello,
Thanks for help. From what I have been reading 2000 and on will log the domain logins, but there are also domain authentications. I believe that event 540 entries are for domain logins verse the 528 system logins. What is odd is that I have so many entries, and many are within the same second, also also are listed as Anonymous logins, which I have found to be NULL sessions. I understand what null sessions are, but I am trying to understand why there would be so many? If accessing files on a webserver, or mail on a mail server would there be any null sessions related to any part of that communication?
Thanks
Hello,
I believe that event 540 entries are for domain logins verse the 528 system logins. What is odd is that I have so many entries, and many are within the same second, also also are listed as Anonymous logins, which I have found to be NULL sessions. I understand what null sessions are, but I am trying to understand why there would be so many? If accessing files on a webserver, or mail on a mail server would there be any null sessions related to any part of that communication?
Null sessions are sometimes generated by vulnerability scanners that are trying to extract information from a system without any particular credentials – for instance, it may be possible to get a full list of all users and even password policy information from a DC by null sessions, if it is not locked up properly (modern servers are more locked up by default). But they're also there because of backwards compatibility with workgroups, I think. In such a secenario, file access may very well be done by NULL sessions.
If you want more info on security events, try Randy Franklin Smith's book on Windows Security Log, or his web site.
All,
Is there any legitimate use on a domain network for the use of null sessions/ Anonymous access (from internal to a DMZ server) that is a Webserver, mailserver, AD, and DNS? I have read about null sessions and the NT/Anonymous logins, but I am not finding anything useful.
Thanks,