Unusual logon / logoff Security event log

Discussion in 'Windows Small Business Server' started by Smiley, Dec 4, 2007.

  1. Smiley

    Smiley Guest

    Hi there,

    Has this repeat entries of event ID 540, 538, 608 in a row for particular
    user.

    Another preculiar is for example event ID 540, On the event id, the logon
    type said 3, however when check on the link on the event ID which said logon
    type is 4. So I am totally confused whether this is logon type 3 or logon
    type 4. On the webpage, type 3 is network, type 4 is batch.
    Logon type Logon title Description
    2 Interactive A user logged on to this computer at the console.
    3 Network A user or computer logged on to this computer from the
    network.
    4 Batch Batch logon type is used by batch servers, where processes
    might run on behalf of a user without the user's direct intervention.


    Anyone has any idea ? Is this a security concern or not.

    Kind regards
     
    Smiley, Dec 4, 2007
    #1
    1. Advertisements

  2. Hi Smiley,

    Thanks for posting in our newsgroup.

    Based on my research, 540, 538, 608 may not indicate you have security risk
    because they are success events. I tested and found there are lots of such
    events in my test machine. The following are the related information about
    the events:

    540: This message includes the user name and the domain information of the
    user account that was logged on, the name of the logon process that logged
    the user on, the type of authentication credentials that were presented,
    and a logon GUID (globally unique identifier).

    538: The event appears when user logon or logoff.

    608: This event record indicates that a specific right was assigned to the
    identified user.

    More info:

    Message Details:
    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%
    20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033

    To research on the logon type difference, please help me collect the
    following information and I need to do deep research. Thanks for your time
    and patience.

    MPS Report

    1) Download MPS report tool from:
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    15706/MPSRPT_SETUPPerf.EXE
    2) Run the MPSRPT_SETUPPerf.exe on the server box.
    3) Wait for 10~15 minutes.
    4) Open Windows explorer, navigate to
    %SYSTEMROOT%\MPSReports\Setup\Reports\cab\
    5) Send the .cab file to with subject:
    41079378-Unusual logon / logoff Security event log.

    In addition, please implement Strong password policies in your network to
    prevent the hackers access your system. To do this:

    Open Server Management console, navigate to Users snap-in. In the right
    panel, click ''Configure Password Policies''. Enable the password policies.

    1. Password must meet minimum length requirements.
    2. Password must meet complexity requirements.
    3. Password must be changed regularly.
    4. Configure password policies: Immediately.

    More info:

    Securing Your Windows Small Business Server 2003 Network
    http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
    8501-b4f680280f71&displaylang=en


    I am looking forward to hear from you.

    If you need further assistance, please don't hesitate to let me know.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <From: "Smiley" <>
    <Newsgroups: microsoft.public.windows.server.sbs
    <Subject: Unusual logon / logoff Security event log
    <Date: Tue, 4 Dec 2007 10:45:54 -0000
    <Lines: 22
    <Message-ID: <fj3b53$cua$1$>
    <NNTP-Posting-Host: blueandmiko1.demon.co.uk
    <X-Trace: news.demon.co.uk 1196765155 13258 80.177.109.206 (4 Dec 2007
    10:45:55 GMT)
    <X-Complaints-To:
    <NNTP-Posting-Date: Tue, 4 Dec 2007 10:45:55 +0000 (UTC)
    <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    <X-Priority: 3
    <X-RFC2646: Format=Flowed; Original
    <X-Antivirus: avast! (VPS 071203-0, 03/12/2007), Outbound message
    <X-MSMail-Priority: Normal
    <X-Antivirus-Status: Clean
    <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    <Bytes: 1853
    <Path:
    TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
    0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
    m!news.glorb.com!peer1.news.newnet.co.uk!194.159.246.34.MISMATCH!peer-uk.new
    s.demon.net!kibo.news.demon.net!mutlu.news.demon.net!news.demon.co.uk!demon!
    not-for-mail
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:79902
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <
    <Hi there,
    <
    <Has this repeat entries of event ID 540, 538, 608 in a row for particular
    <user.
    <
    <Another preculiar is for example event ID 540, On the event id, the logon
    <type said 3, however when check on the link on the event ID which said
    logon
    <type is 4. So I am totally confused whether this is logon type 3 or logon
    <type 4. On the webpage, type 3 is network, type 4 is batch.
    < Logon type Logon title Description
    < 2 Interactive A user logged on to this computer at the console.
    < 3 Network A user or computer logged on to this computer from the
    <network.
    < 4 Batch Batch logon type is used by batch servers, where processes
    <might run on behalf of a user without the user's direct intervention.
    <
    <
    <Anyone has any idea ? Is this a security concern or not.
    <
    <Kind regards
    <
    <
    <
     
    Robert Li [MSFT], Dec 5, 2007
    #2
    1. Advertisements

  3. Smiley

    Smiley Guest

    Hi there,

    I have emailed you the log.

    If the event is randam then there is no concerns however, I have a row for
    540, 538, 608, 538, 608, 608 etc for the same user then another sequence for
    another users.

    Much appreciated of our help and look forward hearing from you.

    Kind regards
     
    Smiley, Dec 5, 2007
    #3
  4. Hi,

    Thanks for your reply.

    I researched the MPS Report but didn't find the Security log. Since that's
    large, you can export that and load it to the workplace:

    URL:
    Password:

    To export the Security event log:

    1. Click Start -> Run, type EVENTVWR.MSC and click OK.
    2. Right click the Security Event, select Save Log File as, save it to .evt
    file.

    Of cause I will keep the MPS Report and Security logs secret.

    Here are the meaning of events 608 and 538:

    608: This event record indicates that a specific right was assigned to the
    identified user. Certain rights have security implications. Assigning such
    rights to a user who is not trusted can be a security risk.
    538: This event record indicates that a user has logged off.
    To find more information about the events 540, 538, 608, I need to research
    you Security log.
    I notice some events occurs 10 times per second, Please take the following
    steps on Computer KEBLE:
    Step 1: Please make a clean boot on computer KEBLE to make sure the problem
    is not caused by some third party software.

    1. Click Start->Run...->type msconfig and press Enter.
    2. Click Services tab and select Hide All Microsoft Services and Disable
    All third party Services.
    3. Click Startup tab and Disable All startup items.
    4. Click OK and choose Restart.
    5. After reboot, check whether the problem still occurs.
    6. If there are no more problems, please use the above steps to enable
    services and startup items one by one in order to figure out the root cause
    of this issue

    Step 2: The problem may be caused by virus on Computer KEBLE. Please scan
    the system with Anti Virus software which as latest signature.

    More info:

    Windows Defender Home
    http://www.microsoft.com/athome/security/spyware/software/default.mspx

    I am looking forward to hear from you.

    If you need further assistance, please don't hesitate to let me know.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <From: "Smiley" <>
    <Newsgroups: microsoft.public.windows.server.sbs
    <Subject: Re: Unusual logon / logoff Security event log
    <Date: Wed, 5 Dec 2007 15:07:29 -0000
    <Lines: 174
    <Message-ID: <fj6erk$nj3$1$>
    <References: <fj3b53$cua$1$>
    <>
    <NNTP-Posting-Host: blueandmiko1.demon.co.uk
    <X-Trace: news.demon.co.uk 1196867253 24163 80.177.109.206 (5 Dec 2007
    15:07:33 GMT)
    <X-Complaints-To:
    <NNTP-Posting-Date: Wed, 5 Dec 2007 15:07:33 +0000 (UTC)
    <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    <X-Priority: 3
    <X-RFC2646: Format=Flowed; Original
    <X-Antivirus: avast! (VPS 071205-1, 05/12/2007), Outbound message
    <X-MSMail-Priority: Normal
    <X-Antivirus-Status: Clean
    <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    <Path:
    TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
    0.sul.t-online.de!t-online.de!news.glorb.com!peer1.news.newnet.co.uk!194.159
    .246.34.MISMATCH!peer-uk.news.demon.net!kibo.news.demon.net!news.demon.co.uk
    !demon!not-for-mail
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80195
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <
    <Hi there,
    <
    <I have emailed you the log.
    <
    <If the event is randam then there is no concerns however, I have a row for
    <540, 538, 608, 538, 608, 608 etc for the same user then another sequence
    for
    <another users.
    <
    <Much appreciated of our help and look forward hearing from you.
    <
    <Kind regards
    <
    <<> Hi Smiley,
    <>
    <> Thanks for posting in our newsgroup.
    <>
    <> Based on my research, 540, 538, 608 may not indicate you have security
    <> risk
    <> because they are success events. I tested and found there are lots of
    such
    <> events in my test machine. The following are the related information
    about
    <> the events:
    <>
    <> 540: This message includes the user name and the domain information of
    the
    <> user account that was logged on, the name of the logon process that
    logged
    <> the user on, the type of authentication credentials that were presented,
    <> and a logon GUID (globally unique identifier).
    <>
    <> 538: The event appears when user logon or logoff.
    <>
    <> 608: This event record indicates that a specific right was assigned to
    the
    <> identified user.
    <>
    <> More info:
    <>
    <> Message Details:
    <>
    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%
    <> 20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033
    <>
    <> To research on the logon type difference, please help me collect the
    <> following information and I need to do deep research. Thanks for your
    time
    <> and patience.
    <>
    <> MPS Report
    <>
    <> 1) Download MPS report tool from:
    <>
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    <> 15706/MPSRPT_SETUPPerf.EXE
    <> 2) Run the MPSRPT_SETUPPerf.exe on the server box.
    <> 3) Wait for 10~15 minutes.
    <> 4) Open Windows explorer, navigate to
    <> %SYSTEMROOT%\MPSReports\Setup\Reports\cab\
    <> 5) Send the .cab file to with subject:
    <> 41079378-Unusual logon / logoff Security event log.
    <>
    <> In addition, please implement Strong password policies in your network to
    <> prevent the hackers access your system. To do this:
    <>
    <> Open Server Management console, navigate to Users snap-in. In the right
    <> panel, click ''Configure Password Policies''. Enable the password
    <> policies.
    <>
    <> 1. Password must meet minimum length requirements.
    <> 2. Password must meet complexity requirements.
    <> 3. Password must be changed regularly.
    <> 4. Configure password policies: Immediately.
    <>
    <> More info:
    <>
    <> Securing Your Windows Small Business Server 2003 Network
    <>
    http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
    <> 8501-b4f680280f71&displaylang=en
    <>
    <>
    <> I am looking forward to hear from you.
    <>
    <> If you need further assistance, please don't hesitate to let me know.
    <>
    <> Best regards,
    <>
    <> Robert Li(MSFT)
    <>
    <> Microsoft CSS Online Newsgroup Support
    <>
    <> Get Secure! - www.microsoft.com/security
    <>
    <> =====================================================
    <>
    <> This newsgroup only focuses on SBS technical issues. If you have issues
    <> regarding other Microsoft products, you'd better post in the
    corresponding
    <> newsgroups so that they can be resolved in an efficient and timely
    manner.
    <> You can locate the newsgroup here:
    <> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    <>
    <> When opening a new thread via the web interface, we recommend you check
    <> the
    <> "Notify me of replies" box to receive e-mail notifications when there are
    <> any updates in your thread. When responding to posts via your newsreader,
    <> please "Reply to Group" so that others may learn and benefit from your
    <> issue.
    <>
    <> Microsoft engineers can only focus on one issue per thread. Although we
    <> provide other information for your reference, we recommend you post
    <> different incidents in different threads to keep the thread clean. In
    <> doing
    <> so, it will ensure your issues are resolved in a timely manner.
    <>
    <> For urgent issues, you may want to contact Microsoft CSS directly. Please
    <> check http://support.microsoft.com for regional support phone numbers.
    <>
    <> Any input or comments in this thread are highly appreciated.
    <>
    <> =====================================================
    <>
    <> This posting is provided "AS IS" with no warranties, and confers no
    <> rights.
    <>
    <> --------------------
    <> <From: "Smiley" <>
    <> <Newsgroups: microsoft.public.windows.server.sbs
    <> <Subject: Unusual logon / logoff Security event log
    <> <Date: Tue, 4 Dec 2007 10:45:54 -0000
    <> <Lines: 22
    <> <Message-ID: <fj3b53$cua$1$>
    <> <NNTP-Posting-Host: blueandmiko1.demon.co.uk
    <> <X-Trace: news.demon.co.uk 1196765155 13258 80.177.109.206 (4 Dec 2007
    <> 10:45:55 GMT)
    <> <X-Complaints-To:
    <> <NNTP-Posting-Date: Tue, 4 Dec 2007 10:45:55 +0000 (UTC)
    <> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    <> <X-Priority: 3
    <> <X-RFC2646: Format=Flowed; Original
    <> <X-Antivirus: avast! (VPS 071203-0, 03/12/2007), Outbound message
    <> <X-MSMail-Priority: Normal
    <> <X-Antivirus-Status: Clean
    <> <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    <> <Bytes: 1853
    <> <Path:
    <>
    TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
    <>
    0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
    <>
    m!news.glorb.com!peer1.news.newnet.co.uk!194.159.246.34.MISMATCH!peer-uk.new
    <>
    s.demon.net!kibo.news.demon.net!mutlu.news.demon.net!news.demon.co.uk!demon!
    <> not-for-mail
    <> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:79902
    <> <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <> <
    <> <Hi there,
    <> <
    <> <Has this repeat entries of event ID 540, 538, 608 in a row for
    particular
    <> <user.
    <> <
    <> <Another preculiar is for example event ID 540, On the event id, the
    logon
    <> <type said 3, however when check on the link on the event ID which said
    <> logon
    <> <type is 4. So I am totally confused whether this is logon type 3 or
    logon
    <> <type 4. On the webpage, type 3 is network, type 4 is batch.
    <> < Logon type Logon title Description
    <> < 2 Interactive A user logged on to this computer at the console.
    <> < 3 Network A user or computer logged on to this computer from the
    <> <network.
    <> < 4 Batch Batch logon type is used by batch servers, where processes
    <> <might run on behalf of a user without the user's direct intervention.
    <> <
    <> <
    <> <Anyone has any idea ? Is this a security concern or not.
    <> <
    <> <Kind regards
    <> <
    <> <
    <> <
    <>
    <
    <
    <
     
    Robert Li [MSFT], Dec 6, 2007
    #4
  5. Smiley

    Smiley Guest

    Hi Robert,

    the log finally uploaded and just sent over this evening. What a chord.
    Please would you let me know whether there is anything on the log.

    Kind regards,
     
    Smiley, Dec 6, 2007
    #5
  6. Hi,

    Thanks for your reply.

    Based on my research, please take the following steps on problematic
    computer.

    Step 1: I found lots of logon and logoff events caused by user. This seems
    to be caused by third party software or virus. I didn't find such user in
    our internal resource. You can make a clean boot and Virus scan as I
    suggested in previous reply.

    Step 2: Please change the password and try again.

    1. Open Server Management and click Users.
    2. Right click the user account and select Reset Password.
    3. Input the new password.

    Step 3: Please reset the computer and try again.

    1. Open ADUC.
    2. Migrate to Domain.local\MyBusiness\Computers\SBSComputers.
    3. Right click computer account and click Reset Account.

    Step 4: The issue may be caused by corrupt security channel. Please use the
    Netdom tool that is included in the Windows Support Tools to verify network
    trust relationships and reset or establish a connection to a server.

    netdom reset domainmember /domain:mydomain

    More information:
    Resetting computer accounts in Windows 2000 and Windows XP
    http://support.microsoft.com/kb/216393/

    Hope this helps.

    I am looking forward to hear from you.

    If you need further assistance, please don't hesitate to let me know.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <From: "Smiley" <>
    <Newsgroups: microsoft.public.windows.server.sbs
    <Subject: Re: Unusual logon / logoff Security event log
    <Date: Thu, 6 Dec 2007 18:15:17 -0000
    <Lines: 338
    <Message-ID: <fj9e7m$dgd$1$>
    <References: <fj3b53$cua$1$>
    <>
    <fj6erk$nj3$1$>
    <0ihLvo#>
    <NNTP-Posting-Host: blueandmiko1.demon.co.uk
    <X-Trace: news.demon.co.uk 1196964919 13837 80.177.109.206 (6 Dec 2007
    18:15:19 GMT)
    <X-Complaints-To:
    <NNTP-Posting-Date: Thu, 6 Dec 2007 18:15:19 +0000 (UTC)
    <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    <X-Priority: 3
    <X-RFC2646: Format=Flowed; Original
    <X-Antivirus: avast! (VPS 071205-2, 05/12/2007), Outbound message
    <X-MSMail-Priority: Normal
    <X-Antivirus-Status: Clean
    <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    <Path:
    TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
    0.sul.t-online.de!t-online.de!kanaga.switch.ch!switch.ch!news.tele.dk!news.t
    ele.dk!small.news.tele.dk!lnewsinpeer00.lnd.ops.eu.uu.net!emea.uu.net!peer-u
    k.news.demon.net!kibo.news.demon.net!news.demon.co.uk!demon!not-for-mail
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80468
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <
    <Hi Robert,
    <
    <the log finally uploaded and just sent over this evening. What a chord.
    <Please would you let me know whether there is anything on the log.
    <
    <Kind regards,
    <
    <<> Hi,
    <>
    <> Thanks for your reply.
    <>
    <> I researched the MPS Report but didn't find the Security log. Since
    that's
    <> large, you can export that and load it to the workplace:
    <>
    <> URL:
    <> Password:
    <>
    <> To export the Security event log:
    <>
    <> 1. Click Start -> Run, type EVENTVWR.MSC and click OK.
    <> 2. Right click the Security Event, select Save Log File as, save it to
    <> .evt
    <> file.
    <>
    <> Of cause I will keep the MPS Report and Security logs secret.
    <>
    <> Here are the meaning of events 608 and 538:
    <>
    <> 608: This event record indicates that a specific right was assigned to
    the
    <> identified user. Certain rights have security implications. Assigning
    such
    <> rights to a user who is not trusted can be a security risk.
    <> 538: This event record indicates that a user has logged off.
    <> To find more information about the events 540, 538, 608, I need to
    <> research
    <> you Security log.
    <> I notice some events occurs 10 times per second, Please take the
    following
    <> steps on Computer KEBLE:
    <> Step 1: Please make a clean boot on computer KEBLE to make sure the
    <> problem
    <> is not caused by some third party software.
    <>
    <> 1. Click Start->Run...->type msconfig and press Enter.
    <> 2. Click Services tab and select Hide All Microsoft Services and Disable
    <> All third party Services.
    <> 3. Click Startup tab and Disable All startup items.
    <> 4. Click OK and choose Restart.
    <> 5. After reboot, check whether the problem still occurs.
    <> 6. If there are no more problems, please use the above steps to enable
    <> services and startup items one by one in order to figure out the root
    <> cause
    <> of this issue
    <>
    <> Step 2: The problem may be caused by virus on Computer KEBLE. Please scan
    <> the system with Anti Virus software which as latest signature.
    <>
    <> More info:
    <>
    <> Windows Defender Home
    <> http://www.microsoft.com/athome/security/spyware/software/default.mspx
    <>
    <> I am looking forward to hear from you.
    <>
    <> If you need further assistance, please don't hesitate to let me know.
    <>
    <> Best regards,
    <>
    <> Robert Li(MSFT)
    <>
    <> Microsoft CSS Online Newsgroup Support
    <>
    <> Get Secure! - www.microsoft.com/security
    <>
    <> =====================================================
    <>
    <> This newsgroup only focuses on SBS technical issues. If you have issues
    <> regarding other Microsoft products, you'd better post in the
    corresponding
    <> newsgroups so that they can be resolved in an efficient and timely
    manner.
    <> You can locate the newsgroup here:
    <> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    <>
    <> When opening a new thread via the web interface, we recommend you check
    <> the
    <> "Notify me of replies" box to receive e-mail notifications when there are
    <> any updates in your thread. When responding to posts via your newsreader,
    <> please "Reply to Group" so that others may learn and benefit from your
    <> issue.
    <>
    <> Microsoft engineers can only focus on one issue per thread. Although we
    <> provide other information for your reference, we recommend you post
    <> different incidents in different threads to keep the thread clean. In
    <> doing
    <> so, it will ensure your issues are resolved in a timely manner.
    <>
    <> For urgent issues, you may want to contact Microsoft CSS directly. Please
    <> check http://support.microsoft.com for regional support phone numbers.
    <>
    <> Any input or comments in this thread are highly appreciated.
    <>
    <> =====================================================
    <>
    <> This posting is provided "AS IS" with no warranties, and confers no
    <> rights.
    <>
    <> --------------------
    <> <From: "Smiley" <>
    <> <Newsgroups: microsoft.public.windows.server.sbs
    <> <Subject: Re: Unusual logon / logoff Security event log
    <> <Date: Wed, 5 Dec 2007 15:07:29 -0000
    <> <Lines: 174
    <> <Message-ID: <fj6erk$nj3$1$>
    <> <References: <fj3b53$cua$1$>
    <> <>
    <> <NNTP-Posting-Host: blueandmiko1.demon.co.uk
    <> <X-Trace: news.demon.co.uk 1196867253 24163 80.177.109.206 (5 Dec 2007
    <> 15:07:33 GMT)
    <> <X-Complaints-To:
    <> <NNTP-Posting-Date: Wed, 5 Dec 2007 15:07:33 +0000 (UTC)
    <> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    <> <X-Priority: 3
    <> <X-RFC2646: Format=Flowed; Original
    <> <X-Antivirus: avast! (VPS 071205-1, 05/12/2007), Outbound message
    <> <X-MSMail-Priority: Normal
    <> <X-Antivirus-Status: Clean
    <> <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    <> <Path:
    <>
    TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
    <>
    0.sul.t-online.de!t-online.de!news.glorb.com!peer1.news.newnet.co.uk!194.159
    <>
    246.34.MISMATCH!peer-uk.news.demon.net!kibo.news.demon.net!news.demon.co.uk
    <> !demon!not-for-mail
    <> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80195
    <> <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <> <
    <> <Hi there,
    <> <
    <> <I have emailed you the log.
    <> <
    <> <If the event is randam then there is no concerns however, I have a row
    <> for
    <> <540, 538, 608, 538, 608, 608 etc for the same user then another sequence
    <> for
    <> <another users.
    <> <
    <> <Much appreciated of our help and look forward hearing from you.
    <> <
    <> <Kind regards
    <> <
    <> <<> <> Hi Smiley,
    <> <>
    <> <> Thanks for posting in our newsgroup.
    <> <>
    <> <> Based on my research, 540, 538, 608 may not indicate you have security
    <> <> risk
    <> <> because they are success events. I tested and found there are lots of
    <> such
    <> <> events in my test machine. The following are the related information
    <> about
    <> <> the events:
    <> <>
    <> <> 540: This message includes the user name and the domain information of
    <> the
    <> <> user account that was logged on, the name of the logon process that
    <> logged
    <> <> the user on, the type of authentication credentials that were
    <> presented,
    <> <> and a logon GUID (globally unique identifier).
    <> <>
    <> <> 538: The event appears when user logon or logoff.
    <> <>
    <> <> 608: This event record indicates that a specific right was assigned to
    <> the
    <> <> identified user.
    <> <>
    <> <> More info:
    <> <>
    <> <> Message Details:
    <> <>
    <>
    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%
    <> <> 20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033
    <> <>
    <> <> To research on the logon type difference, please help me collect the
    <> <> following information and I need to do deep research. Thanks for your
    <> time
    <> <> and patience.
    <> <>
    <> <> MPS Report
    <> <>
    <> <> 1) Download MPS report tool from:
    <> <>
    <>
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
    <> <> 15706/MPSRPT_SETUPPerf.EXE
    <> <> 2) Run the MPSRPT_SETUPPerf.exe on the server box.
    <> <> 3) Wait for 10~15 minutes.
    <> <> 4) Open Windows explorer, navigate to
    <> <> %SYSTEMROOT%\MPSReports\Setup\Reports\cab\
    <> <> 5) Send the .cab file to with subject:
    <> <> 41079378-Unusual logon / logoff Security event log.
    <> <>
    <> <> In addition, please implement Strong password policies in your
    network
    <> to
    <> <> prevent the hackers access your system. To do this:
    <> <>
    <> <> Open Server Management console, navigate to Users snap-in. In the
    right
    <> <> panel, click ''Configure Password Policies''. Enable the password
    <> <> policies.
    <> <>
    <> <> 1. Password must meet minimum length requirements.
    <> <> 2. Password must meet complexity requirements.
    <> <> 3. Password must be changed regularly.
    <> <> 4. Configure password policies: Immediately.
    <> <>
    <> <> More info:
    <> <>
    <> <> Securing Your Windows Small Business Server 2003 Network
    <> <>
    <>
    http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
    <> <> 8501-b4f680280f71&displaylang=en
    <> <>
    <> <>
    <> <> I am looking forward to hear from you.
    <> <>
    <> <> If you need further assistance, please don't hesitate to let me know.
    <> <>
    <> <> Best regards,
    <> <>
    <> <> Robert Li(MSFT)
    <> <>
    <> <> Microsoft CSS Online Newsgroup Support
    <> <>
    <> <> Get Secure! - www.microsoft.com/security
    <> <>
    <> <> =====================================================
    <> <>
    <> <> This newsgroup only focuses on SBS technical issues. If you have
    issues
    <> <> regarding other Microsoft products, you'd better post in the
    <> corresponding
    <> <> newsgroups so that they can be resolved in an efficient and timely
    <> manner.
    <> <> You can locate the newsgroup here:
    <> <> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    <> <>
    <> <> When opening a new thread via the web interface, we recommend you
    check
    <> <> the
    <> <> "Notify me of replies" box to receive e-mail notifications when there
    <> are
    <> <> any updates in your thread. When responding to posts via your
    <> newsreader,
    <> <> please "Reply to Group" so that others may learn and benefit from your
    <> <> issue.
    <> <>
    <> <> Microsoft engineers can only focus on one issue per thread. Although
    we
    <> <> provide other information for your reference, we recommend you post
    <> <> different incidents in different threads to keep the thread clean. In
    <> <> doing
    <> <> so, it will ensure your issues are resolved in a timely manner.
    <> <>
    <> <> For urgent issues, you may want to contact Microsoft CSS directly.
    <> Please
    <> <> check http://support.microsoft.com for regional support phone numbers.
    <> <>
    <> <> Any input or comments in this thread are highly appreciated.
    <> <>
    <> <> =====================================================
    <> <>
    <> <> This posting is provided "AS IS" with no warranties, and confers no
    <> <> rights.
    <> <>
    <> <> --------------------
    <> <> <From: "Smiley" <>
    <> <> <Newsgroups: microsoft.public.windows.server.sbs
    <> <> <Subject: Unusual logon / logoff Security event log
    <> <> <Date: Tue, 4 Dec 2007 10:45:54 -0000
    <> <> <Lines: 22
    <> <> <Message-ID: <fj3b53$cua$1$>
    <> <> <NNTP-Posting-Host: blueandmiko1.demon.co.uk
    <> <> <X-Trace: news.demon.co.uk 1196765155 13258 80.177.109.206 (4 Dec 2007
    <> <> 10:45:55 GMT)
    <> <> <X-Complaints-To:
    <> <> <NNTP-Posting-Date: Tue, 4 Dec 2007 10:45:55 +0000 (UTC)
    <> <> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    <> <> <X-Priority: 3
    <> <> <X-RFC2646: Format=Flowed; Original
    <> <> <X-Antivirus: avast! (VPS 071203-0, 03/12/2007), Outbound message
    <> <> <X-MSMail-Priority: Normal
    <> <> <X-Antivirus-Status: Clean
    <> <> <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    <> <> <Bytes: 1853
    <> <> <Path:
    <> <>
    <>
    TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
    <> <>
    <>
    0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
    <> <>
    <>
    m!news.glorb.com!peer1.news.newnet.co.uk!194.159.246.34.MISMATCH!peer-uk.new
    <> <>
    <>
    s.demon.net!kibo.news.demon.net!mutlu.news.demon.net!news.demon.co.uk!demon!
    <> <> not-for-mail
    <> <> <Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.server.sbs:79902
    <> <> <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <> <> <
    <> <> <Hi there,
    <> <> <
    <> <> <Has this repeat entries of event ID 540, 538, 608 in a row for
    <> particular
    <> <> <user.
    <> <> <
    <> <> <Another preculiar is for example event ID 540, On the event id, the
    <> logon
    <> <> <type said 3, however when check on the link on the event ID which
    said
    <> <> logon
    <> <> <type is 4. So I am totally confused whether this is logon type 3 or
    <> logon
    <> <> <type 4. On the webpage, type 3 is network, type 4 is batch.
    <> <> < Logon type Logon title Description
    <> <> < 2 Interactive A user logged on to this computer at the console.
    <> <> < 3 Network A user or computer logged on to this computer from
    the
    <> <> <network.
    <> <> < 4 Batch Batch logon type is used by batch servers, where
    <> processes
    <> <> <might run on behalf of a user without the user's direct intervention.
    <> <> <
    <> <> <
    <> <> <Anyone has any idea ? Is this a security concern or not.
    <> <> <
    <> <> <Kind regards
    <> <> <
    <> <> <
    <> <> <
    <> <>
    <> <
    <> <
    <> <
    <>
    <
    <
    <
     
    Robert Li [MSFT], Dec 7, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.