What's the source of these logins?
We're seeing some events in one of our Windows 2003 server's Security log that we can't quite find the source of. This is one of our web server. Something on the server must be running to authenticate itself. We checked the IIS log files and nothing shows
there. Is there a way to enable some more verbose logging to get the source of these logings? We see these three events together:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/29/2010
Time: 8:53:22 AM
User: WIN2003\IUSR_WIN2003
Computer: WIN2003
Description:
Successful Network Logon:
User Name: IUSR_WIN2003
Domain: WIN2003
Logon ID: (0x0,0xCFD3F33)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: WIN2003
Logon GUID: -
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 504
Transited Services: -
Source Network Address: -
Source Port: -
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 552
Date: 12/29/2010
Time: 8:53:22 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: WIN2003
Description:
Logon attempt using explicit credentials:
Logged on user:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon GUID: -
User whose credentials were used:
Target User Name: IUSR_WIN2003
Target Domain: WIN2003
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 504
Source Network Address: -
Source Port: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/29/2010
Time: 8:53:22 AM
User: WIN2003\IUSR_WIN2003
Computer: WIN2003
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: IUSR_WIN2003
Source Workstation: WIN2003
Error Code: 0x0
Orange County District Attorney
December 29th, 2010 12:17pm
Hi Sandy,
As far as I know, there is no verbose mode for event log on Windows Server 2003. Here are some information about these
three events:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=552&EvtSrc=Security&LCID=1033
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=680&EvtSrc=Security&LCID=1033
Hope it helps.
Regards,
BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2010 5:18am
Thanks for the info Bruce. I had seen the information you listed, I was hoping I could find a way to drill a bit further to find out what process was initiating the logins.Orange County District Attorney
January 4th, 2011 11:20am