Multiple consistent Security Event Logs

Discuss Windows Event Log events. What they mean, what they tell you about your machine's security ... and whatever questions else you have.

Moderator: alorbach

Google Ads

Multiple consistent Security Event Logs

Postby .kg. » Mon May 22, 2006 11:38 am

Hello all,

I have 1 DC (Global catalog, all 5 fsmo roles), 1 ADC(Global catalog) and 20 XP clients.

I recently joined this organization. and before this, the GPOs were not configured to capture Audits on the network.

Considering the critical nature of our projects, I configured the GPO policy to capture Audits (failure n success) for both the Clients n the Servers.

Plus, enabled certain other policies relating to secure Network Communication.

For DCs:

Security Options---

-Microsoft network client: Send unencrypted password to third-party SMB servers==Disabled
-Network access: Allow anonymous SID/Name translation==Disabled
-Network access: Do not allow anonymous enumeration of SAM accounts and shares==Enabled
-Domain member: Digitally encrypt secure channel data (when possible)==Enabled
-Network access: Do not allow anonymous enumeration of SAM accounts==Enabled
-Domain member: Digitally encrypt or sign secure channel data (always)==Enabled
-LAN manager Authentication Level==Send LM & NTLM - use NTLMv2 session security if negotiated

Audit Policy---

-Audit account logon events==Failure
-Audit account management==Failure
-Audit directory service access==Failure
-Audit logon events==Failure
-Audit object access==Not Configured
-Audit policy change==Failure
-Audit privilege use==Failure
-Audit process tracking==Not Configured
-Audit system events==Failure

Since then, the event logs of the Servers (both the DC n the ADC) as well as certain clients have been showing Multiple consistent Failure Audits for Object Access, Logon/Logoff, Account Logon, Privilege Use with 'User' varying from Network Service, System, Domain Users and Domain Admins.

My concerns grew when I found external IP(s) communicating with my ADC at regular times. They were in no way related to us. I checked and found that 1-2 of them were from small websites, n others were from block of IPs allocated by the Internic.

However, since then I have been monitoring changes, movements in the services closely.

The following are the errors that have been occuring now on the network:

a. Wireless connections (of 2 users) disconnect n re-connect automatically during the day. It is not periodic or regular though. # this Never happened before.

b. The Events always show regular failure attempts by different sources n users.

The following events are most common in the server logs-

Account Logon

Pre-authentication failed:
User Name: kg
User ID: domain\kg
Service Name: krbtgt/domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address:

***(note: ADC ip is logged as localhost here dont know why?)***

Privilege Use

Privileged Service Called:
Server: Security
Service: -
Primary User Name: kg
Primary Domain: domain
Primary Logon ID: (0x0,0x8EB8B)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeRestorePrivilege

Object Access
Object Open:
Object Server: SC Manager
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,42740}
Process ID: 544
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: ADC$
Primary Domain: domain
Primary Logon ID: (0x0,0x3E7)
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Connect to service controller
Lock service database for exclusive access

Apart from this log, at times, the services.exe starts consuming too much CPU usage.


Logon Failure:
Reason: Unknown user name or bad password
User Name: kg
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ADC
Caller User Name: ADC$
Caller Domain: domain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 500
Transited Services: -
Source Network Address:
Source Port: 0

Also, even though ADC is a GC, users event log has this error (at times when DC is not up):


No Domain Controller is available for domain ESINDIA due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.


One more log event that I am concerned about is:


TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.


These failures are logged in multitudes and they dont follow any regularity. For eg. LogOn/LogOff / Account Logon events were logged even when the user logged on to the domain in straight one time.

I have searched on different forums n on Microsoft, but not much help except than Turning the Audits Off.

Any suggestions are Welcome.

Thanks for your efforts.
Posts: 3
Joined: Mon May 22, 2006 11:16 am

Google Ads

Return to Windows Events

Who is online

Users browsing this forum: No registered users and 0 guests