By default the Windows Security auditing generates too much logs.Having cleared this log I already have 71,000 logs for the past seven days.
Where exactly is this auditing configured cause I would like to lower it a bit.I tried all the auditing in Default Domain, Default Domain Controller Policies but didnt find any audit settings configured.So where do they come from?
Thanks.

Need to support users over the internet? click here try our remote control online beta

Domain security logs are configured via the Default Domain Controller Group Policy. It is located under
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy .


You will find a number of policies where you can configure either Success or Failure. Account Logon Events audits when other people succeed or fail when attempting to log onto the domain. Logon Events audits when someone succeeds or fails at logging onto the
Domain Controller.

Most companies retain their security logs for auditing and historical purposes. Clearing the logs without making a backup could be considered a poor practice depending on what your companies standards are.


It is important to make sure that you are auditing the correct settings to avoid collecting to much information. Below is a "Best Practices" guide that you may find useful:


Auditing Security Events Best practices

http://technet.microsoft.com/en-us/library/cc778162%28WS.10%29.aspx


There is an amazing pack of free network admin tools. click here to download it

jsof,
I just read the part where you said you already checked the Default Domain and Default Domain Controller Policies. Have you checked the PC's Local Security Policy to see if any auditing is enabled there?

There is an amazing pack of free network admin tools. click here to download it

also if you are using 2008 R2, then there is the advanced audit polciy stuff to check as well

There is an amazing pack of free network admin tools. click here to download it

Hello guys and thanks for stopping by :-)
Yes I am using Windows Server 2008R2.It's nothing inside audit policies (even the Adnvanced Audit Policy).

Need to support users over the internet? click here try our remote control online beta

Hi jsof,

Please run rsop.msc on the client to check if any audit policy has been configured.

Meanwhile, please let us know what logs have been recorded in event log. You can past some samples.

Regards,
BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.

Need to support users over the internet? click here try our remote control online beta

Looking deeper into the Default Domain Controllers Policy found this:
Under Computer Configuration/ Windows/ Security/ Local Policies you have:
Generate Security Audits object, where by default system accounts like NETWORK SERVICE and LOCAL SERVICE are defined.
In the description of the policy object is written:
"This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events
".
So I disabled both accounts' auditing, in a new custom DC policy.
*The same applies to the Local Policy settings, so I applied my custom DC Policy
enforced , and did a gpupdate /force .

Still I get multiple logs.Now let's see some of these logs:
First a Microsoft Windows Security, Event ID 4624 :

An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: SYSTEM
Account Name: 2008R2$
Account Domain: AI
Logon ID: 0x2e827f6
Logon GUID: {6d7bbe59-4af1-662a-f91b-aa41785bea78}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:
Source Network Address: ::1
Source Port: 62157

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon.
This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may
be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Then a Microsoft Windows Security, Event ID 4672 :

Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: 2008R2$
Account Domain: AI
Logon ID: 0x2e827f6

Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege

And finally a Microsoft Windows Security, Event ID 4634 :

An account was logged off.

Subject:
Security ID: SYSTEM
Account Name: 2008R2$
Account Domain: AI
Logon ID: 0x2e827f6

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the
Logon ID value. Logon IDs are only unique between reboots on the same computer

I also get this one multiple times (EventID 4769 ):


A Kerberos service ticket was requested.

Account Information:
Account Name: 2008R2$@AI.LOCAL
Account Domain: AI.LOCAL
Logon GUID: {17cab577-b9ef-6b9f-bdbd-534ec50ceaa6}

Service Information:
Service Name: 2008R2$
Service ID: AI\2008R2$

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a Windows service.
The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.
The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller
which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.
To summarize the issue here please take a look at this
.
Every minute I get this pattern of 4624, 4672 and 4634 most probably a service authenticating with Kerberos and logging off.For 40 minutes of having cleared security event log you can see at the picture I have over
300 new events.
This is beyond the nature of auditing as someone has to spend some serious time and effort to use this log list.
Thanks for helping.

Need to support users over the internet? click here try our remote control online beta

Anyone please?

Need to support users over the internet? click here try our remote control online beta