Hi all, I have a ext network that is protected by isa firewalls. We have enabled vpn on this ext network to allow my support staff to remote in for necessary support. On the security log i can see usernames of my colleagues logging on/off the domain under events 538 and 540. However when i check the firewall log of isa using the msdetotext tool i could not see any vpn connection during the time when the events for 538/540 were logged in security log, in face no vpn connections for that whole day. VPN is the only way we can access that external network. My question is when i see events 538 and 540 in security log, does it mean that there is really logging on and off process by user accounts taking place? If yes, my ext network may be hacked. Pls advise. Thks in advance.

Hi, Yes, generally speaking, the event 540 indicates a logon session was created for the user. You may get more useful information by checking the Logon Type and Source Network Address in the event. http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033 Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.