No announcement yet.

Security Log: Server 2003 Event Viewer

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Log: Server 2003 Event Viewer

    We're running Server 2003 (+ Exchange Server) for a small network at our Community Centre. Typically there will only be two or three users logged on

    The system seems to be working satisfactorily and the AV software doesn't indicate any problems, but I'm puzzled by the very large number of 538, 540 and 576 logon/logoff entries that appear in the Security Log (more than 2000 in 3 hours this morning)

    Yesterday we had a huge number of logon failures showing in the System log. which I assumed to be hackers. Could the Security Log events today be related to this ?

    I'd be very grateful for a comment on this

  • #2
    Re: Security Log: Server 2003 Event Viewer

    Do the events give any indication of the source (including the computer and user account)
    It could be many things, for example a cached password or maybe hackers attempting to hit OWA
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Security Log: Server 2003 Event Viewer

      Thank you very much indeed for your response

      All of the events (apart for example from recognisable logons by myself as administrator) are for user 'NT Authority/System'. Here's one example:

      Success A: Event ID 540
      Successful Network Logon:
      User Name: KPC-SERVER01$
      Domain: KPC
      Logon ID: (0x0,0x9073880)
      Logon Type: 3
      Logon Process: Kerberos
      Authentication Package: Kerberos
      Workstation Name:
      Logon GUID: {b2af3b3d-613f-3880-0045-873dfc21253e}

      This particular event was followed by 6 Event IDs 538 - all within 30 seconds

      I'm not sufficiently experienced to make much sense of this, I'm afraid !


      • #4
        Re: Security Log: Server 2003 Event Viewer

        Look in the Security Log for Event Id: 529 This should give you an indication of any attacks and what accounts they are targeting. Change the Administrator account to something that is not so easy to guess and do NOT use accounts that are default ones. Got a list of common ones not to use and if I can find it I will post it here.

        Also make sure you have real STRONG passowrds and not the namby pamby 8 charactor ones the MS consider strong. Set Lockout so if an account has 3 wrong attempts have the account automatically lock for 15, 30, 60minutes or until you unlock it.

        Make sure the Users understand the security implications of having secure passwords and not to use the same password on their computer that they use for their Facbork, Hotmail/Gmail etc accounts.

        Teach then to NOT open emails that they don't know who they came from, especially Facebork "friend" messages and screw down their Net access. Enable any bit of security that you can.
        1 1 was a racehorse.
        2 2 was 1 2.
        1 1 1 1 race 1 day,
        2 2 1 1 2


        • #5
          Re: Security Log: Server 2003 Event Viewer

          Thank you very much - lots of good advice !

          There are no 529 events

          All users (except the Administrator) are in a single Organisational Unit.

          None of the built-in groups are used.

          The only live user in the Users group is the Administrator (with a very strong password !)

          Thanks again


          • #6
            Re: Security Log: Server 2003 Event Viewer

            This is what a 529 can look like. The "fun" part can be tracing the attackers IP. Had one from Server 71 in a Turkish Data Centre and the following week it was a Swedish Data Centre. Worst attack was around 89,000 attempts and I am just a tiny home network with open ports unfortunately. Users now get 3 attempts before lockout.

            Click image for larger version

Name:	event-id-529.png
Views:	1
Size:	20.5 KB
ID:	466423
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2