UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 540 - Successful Network Logon / Unexplained 540 events on W2K workstation in a domain / Latest Posts

RE: Unexplained 540 events on W2K workstation in a domain

RandyFranklinSmith — Tue, 13 Oct 2009 21:31:13 GMT

i think you will need to enable Windows Firewall auditing and trace incoming port connections

RE: Unexplained 540 events on W2K workstation in a domain

kr_lly — Tue, 13 Oct 2009 16:28:49 GMT

This workstation is not hosting IIS. The only shares are default ones: Admin$, C$, IPC$, and print$

Here are the services:

Name Status Startup TypeLog On As
Alerter Started Automatic LocalSystem
Application Management Manual LocalSystem
Automatic Updates Disabled LocalSystem
Background Intelligent Transfer Service Manual LocalSystem
ClipBook Manual LocalSystem
COM+ Event System Started Manual LocalSystem
Computer Browser Disabled LocalSystem
DHCP Client Started Automatic LocalSystem
Distributed Link Tracking Client Disabled LocalSystem
Distributed Transaction Coordinator Manual LocalSystem
DNS Client Started Automatic LocalSystem
Event Log Started Automatic LocalSystem
Fax Service Manual LocalSystem
Indexing Service Manual LocalSystem
InstallDriver Table Manager Manual LocalSystem
Internet Connection Sharing Manual LocalSystem
IPSEC Policy Agent Started Automatic LocalSystem
Logical Disk Manager Started Automatic LocalSystem
Logical Disk Manager Administrative Service Manual LocalSystem
Messenger Disabled LocalSystem
Net Logon Started Automatic LocalSystem
NetMeeting Remote Desktop Sharing Manual LocalSystem
Network Connections Started Manual LocalSystem
Network DDE Manual LocalSystem
Network DDE DSDM Manual LocalSystem
NT LM Security Support Provider Manual LocalSystem
Performance Logs and Alerts Manual LocalSystem
Plug and Play Started Automatic LocalSystem
Print Spooler Started Automatic LocalSystem
Protected Storage Started Automatic LocalSystem
QoS RSVP Manual LocalSystem
Remote Access Auto Connection Manager Manual LocalSystem
Remote Access Connection Manager Started Manual LocalSystem
Remote Procedure Call (RPC) Started Automatic LocalSystem
Remote Procedure Call (RPC) Locator Started Automatic LocalSystem
Remote Registry Service Started Automatic LocalSystem
Removable Storage Started Automatic LocalSystem
Routing and Remote Access Disabled LocalSystem
RunAs Service Started Automatic LocalSystem
SavRoam Started Automatic LocalSystem
Security Accounts Manager Started Automatic LocalSystem
Server Started Automatic LocalSystem
Smart Card Manual LocalSystem
Smart Card Helper Manual LocalSystem
Symantec AntiVirus Started Automatic LocalSystem
Symantec AntiVirus Definition Watcher Started Automatic LocalSystem
Symantec Event Manager Started Automatic LocalSystem
Symantec Network Drivers Service Started Automatic LocalSystem
Symantec Password Validation Manual LocalSystem
Symantec Settings Manager Started Automatic LocalSystem
Symantec SPBBCSvc Manual LocalSystem
System Event Notification Started Automatic LocalSystem
Task Scheduler Started Automatic LocalSystem
TCP/IP NetBIOS Helper Service Started Automatic LocalSystem
Telephony Started Manual LocalSystem
Telnet Disabled LocalSystem
Uninterruptible Power Supply Manual LocalSystem
Utility Manager Manual LocalSystem
VNC Server Version 4 Started Automatic LocalSystem
Windows Installer Manual LocalSystem
Windows Management Instrumentation Started Automatic LocalSystem
Windows Management Instrumentation Driver ExtensionsStarted Manual LocalSystem
Windows Time Started Automatic LocalSystem
Wireless Configuration Manual LocalSystem
Workstation Started Automatic LocalSystem

Thanks for your time!

RE: Unexplained 540 events on W2K workstation in a domain

RandyFranklinSmith — Tue, 13 Oct 2009 13:18:19 GMT

There are a lot of things that could be causing it. Is the user of this workstation hosting an IIS site? Are users browsing the network and enumerating the computer's shared folders? What services are running on the this computer? - Server Service? IIS?

Unexplained 540 events on W2K workstation in a domain

kr_lly — Mon, 12 Oct 2009 13:23:35 GMT

Does anyone have an explanation for this sequence of three Events on a W2K workstation that's in a domain? The workstation name is WK3577. The user in this case (AM\User1) is a valid domain user but there is no logical connection between them and this workstation. The are multiple user accounts generating these Events.

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x564620)
Assigned: SeChangeNotifyPrivilege

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Successful Network Logon:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/11/2009
Time: 11:47:21 PM
User: AM\User1
Computer: WK3577
Description:
User Logoff:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3