2003 SP2 DC filling up with event id 538 540 and 576
I am also having this problem referred to in
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/77150db7-c5d3-472a-b331-e9e71adf519e.
380mb in the Security Log in a single day, the vast majority of which are 538/540 and some 576 success events. Most of the events are from the DC's computer account talking to itself.
Audit Privilege Use is set to failure only.
Looked at the hotfix and it says it only applies to Server 2003 SP1. I am running SP2.
Any ideas?
February 21st, 2011 9:08am
What's inside those events? Sorry, I dont remember all the Event IDs.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2011 11:45am
Hi,
Please run rsop.msc or gpresult /v on the DC to verify what audit policies have actually been applied.
Here are some threads which might be helpful for you:
http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/0781113e-555f-472c-a6cf-e1847ce82ed5/
http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/8067455e-0814-4506-82f0-6023189412ea
If you need further assistance, please provide more information about the event log you received.
Hope this helps.
Regards,
Bruce
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial
to other community members reading the thread.
February 22nd, 2011 4:14am
W2k3 Standand Edition, wo DC's, single domain. The main DC holding all FSMO roles has a continuous stream of event log entries. The other DC has some of the events in the Security logs but only at certain period of the day and time.
Audit policies (all of which are required) are:
Audit Account Logon Events Success,
Failure
Audit Account Management
Success, Failure
Audit Directory Service access Failure
Audit logon events
Success, Failure
Audit object access Failure
Audit policy Change Success,
Failure
Audit privilege Use Failure
Audit process tracking No
auditing
Audit system events
Success, Failure
Event log entries look like that referenced in
http://www.petri.co.il/forums/showthread.php?t=33493
I have a w2k3 Standard edition single-domain network with 2 DCs.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: (every day)
Time: (1 a second)
User: NT AUTHORITY\SYSTEM
Computer: (MY DC SERVER NAME WITH ALL FSMO ROLES,DNS,DHCP, GC)
Description:
Special privileges assigned to new logon:
User Name: MY DC SERVERNAME$
Domain: domain
Logon ID: (0x0,0x52037FD2)
Privileges: SeTcbPrivilege
...
...
Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: EVERY DAY
Time: 1 a second
User: NT AUTHORITY\SYSTEM
Computer: DC SERVER NAME
Description:
Successful Network Logon:
User Name: MY DC SERVER NAME$
Domain: DOMAIN
Logon ID: (0x0,0x52031E3E)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {8b64e4ef-3a8f-ed26-d90d-3b7ddf076275}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP of Server
Source Port: 1816
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: everyday
Time: 1 a second
User: NT AUTHORITY\SYSTEM
Computer: dc server name
Description:
User Logoff:
User Name: MY DC sERVERNAME$
Domain: domain
Logon ID: (0x0,0x52031E3E)
Logon Type: 3
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2011 5:14am
Any exchange / sql / etc installed?MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
February 22nd, 2011 11:48am
Any exchange / sql / etc installed?
MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
Backup Exec is installed which uses the SQL Server Express.
No Exchange
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2011 12:25pm
Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers or IIS. It seems you enabled too many audit options.
Enable the failure option only for a test.
February 28th, 2011 5:46am
I am required to audit the events.
And this issue is only occuring on one server.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 6:10am
Hi Guys,
I had the same problem and I cleared all the open sessions till they not reappeared, which were cuasing the problem.
The problem got resolved.
ShashiShashi
May 20th, 2011 10:47am