more security log info

Discussion in 'Server Security' started by sigm, Oct 21, 2004.

  1. sigm

    sigm Guest

    We have some inetersting activity in our security log during nighttime hours.
    How do I tell if it is just network overhead protocols, or illegimate
    attempts to access the network? Some of the event IDs are:
    538,540,565,576,672,673,674, and 680. I would assume that some of these are
    related to users/computers locking their workstation at night and the systems
    are still responding to the server. Is this correct or do I have a serious
    problem here. I've directed the question to my IS manager, and she does not
    have any idea in regards to this.
     
    sigm, Oct 21, 2004
    #1
    1. Advertisements

  2. It is not unusual to see events logged. Some of those are kerberos related
    which may be computers renewing their tickets as they expire. Computers also
    authenticate in a domain without any user logged on. I would not be too
    concerned unless you have a lot of failures, particularly for user
    "administrator" which could indicate hack attempts. The link below will
    explain in more detail what some of those events mean. --- Steve

    http://www.microsoft.com/technet/security/guidance/secmod144.mspx
     
    Steven L Umbach, Oct 22, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.