Multiple 540/538 pairings from non-authorized... Expand / Collapse
Author
Message
Posted 4/20/2011 9:37:39 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/20/2011 9:23:24 AM
Posts: 2, Visits: 0
Over the last few months I have noticed multiple successful 540/538 pairs from users and systems that I know for 100% certainty, do NOT have access/accounts for this system. I have not yet been able to identify how or why they are logging successful events.

Can you provide any additional insight?

Type Date  Time Source  Category Event User Computer

Success Audit 1/3/2011 10:17:33 AM Security Logon/Logoff  540 Person Account1 
Success Audit 1/3/2011 10:17:42 AM Security Logon/Logoff  538 Person Account1 
Success Audit 1/4/2011 2:58:02 PM Security Logon/Logoff  540 Person Account2 
Success Audit 1/4/2011 2:58:06 PM Security Logon/Logoff  538 Person Account2 
Success Audit 1/4/2011 6:17:09 PM Security Logon/Logoff  538 Person Account2 
Success Audit 1/4/2011 6:17:06 PM Security Logon/Logoff  540 Person Account2 
Success Audit 1/19/2011 2:25:16 PM Security Logon/Logoff  540 Person Account3 
Success Audit 1/19/2011 2:25:17 PM Security Logon/Logoff  538 Person Account3 
Success Audit 1/19/2011 2:25:16 PM Security Logon/Logoff  540 MachineAccount1$ 
Success Audit 1/19/2011 2:25:27 PM Security Logon/Logoff  538 MachineAccount1$ 
Success Audit 3/24/2011 7:01:46 AM Security Logon/Logoff  540 MachineAccount2$ 
Success Audit 3/24/2011 7:01:56 AM Security Logon/Logoff  538 MachineAccount2$ 
Success Audit 3/25/2011 4:43:35 PM Security Logon/Logoff  540 MachineAccount2$ 
Success Audit 3/25/2011 4:43:45 PM Security Logon/Logoff  538 MachineAccount2$ 
Success Audit 3/25/2011 1:20:17 PM Security Logon/Logoff  540 MachineAccount3$ 
Success Audit 3/25/2011 1:20:26 PM Security Logon/Logoff  538 MachineAccount3$
Success Audit 4/2/2011 1:29:35 PM Security Logon/Logoff  540 MachineAccount4$ 
Success Audit 4/2/2011 1:29:45 PM Security Logon/Logoff  538 MachineAccount4$ 
Success Audit 4/2/2011 11:28:53 PM Security Logon/Logoff  540 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX 
Success Audit 4/2/2011 11:29:07 PM Security Logon/Logoff  538 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX 
Success Audit 4/4/2011 1:25:39 AM Security Logon/Logoff  540 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX 
Success Audit 4/4/2011 1:25:51 AM Security Logon/Logoff  538 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX 
Success Audit 4/5/2011 10:16:05 AM Security Logon/Logoff  540 MachineAccount5$ 
Success Audit 4/5/2011 10:16:16 AM Security Logon/Logoff  538 MachineAccount5$ 
Success Audit 4/7/2011 4:23:22 PM Security Logon/Logoff  540 MachineAccount3$ 
Success Audit 4/7/2011 4:23:31 PM Security Logon/Logoff  538 MachineAccount3$ 
Success Audit 4/13/2011 10:12:19 PM Security Logon/Logoff  540 MachineAccount6$ 
Success Audit 4/13/2011 10:12:26 PM Security Logon/Logoff  538 MachineAccount6$ 
Success Audit 4/13/2011 5:05:14 PM Security Logon/Logoff  540 MachineAccount6$ 
Success Audit 4/13/2011 5:05:18 PM Security Logon/Logoff  538 MachineAccount6$ 
Success Audit 4/14/2011 11:43:03 AM Security Logon/Logoff  540 MachineAccount6$ 
Success Audit 4/14/2011 11:43:07 AM Security Logon/Logoff  538 MachineAccount6$ 

Post #641
Posted 4/20/2011 1:24:52 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
well they can't logon successfully like that if they don't have a viable account.  it's as simple as that.  remember that viable accounts could be coming not just from local accounts on that server but from any domain in the forest or any other trusted domain outside the forest.  i would need to see the full events to offer more help
Post #643
Posted 4/21/2011 4:41:16 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/20/2011 9:23:24 AM
Posts: 2, Visits: 0
I have discovered that I can recreate the MachineAccount$ entry by doing a start/run and entering the UNC path to a drive from my desktop.

What I haven’t been able to get my head wrapped around yet is why a non-viable account from another OU within our domain would be writing “successful” events in the log.

I am an administrator in the OU which the server resides, and the machine and user accounts reside in another OU that should not have access to the servers in this OU.

In this example, the source address on both the machine and user instance are the same.

Date: 1/19/2011
Source: Security
Time 2:25:16 PM
Category: Logon/Logoff
Type Success A 
Event ID: 540
User: xxxxxxxxxxxx
Computer: xxxxxxxxxxxx
Description:
Successful Network Logon:
User Name: MachineAccount1$
Domain:  xxxxxxxxxxxx
Logon ID:  (0x0,0x2D30904D)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: 
Logon GUID: {c7defacb-4275-1f7c-5ae5-11b317f655e7}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: xxxxxxxxxxxx
Source Port: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: 1/19/2011
Source: Security
Time 2:25:27 PM
Category: Logon/Logoff
Type Success A 
Event ID: 538
User: xxxxxxxxxxxxxxxxxxxxxx
Computer: xxxxxxxxxxxx
Description:
User Logoff:
User Name: MachineAccount1$
Domain:  xxxxxxxxxxxx
Logon ID:  (0x0,0x2D30904D)
Logon Type: 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: 1/19/2011
Source: Security
Time 2:25:16 PM
Category: Logon/Logoff
Type Success A Event ID: 540
User: xxxxxxxxxxxx
Computer: xxxxxxxxxxxx
Description:
Successful Network Logon:
User Name: Person Account3
Domain:  xxxxxxxxxxxx
Logon ID:  (0x0,0x2D30B8EB)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: 
Logon GUID: {de14b78c-e9ed-7ccd-9145-fac28be8006b}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: xxxxxxxxxxxx
Source Port: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: 1/19/2011
Source: Security
Time 2:25:17 PM
Category: Logon/Logoff
Type Success A Event ID: 538
User: xxxxxxxxxxxx
Computer: xxxxxxxxxxxx
Description:
User Logoff:
User Name: Person Account3
Domain:  xxxxxxxxxxxx
Logon ID:  (0x0,0x2D30B8EB)
Logon Type: 3

Post #645
Posted 5/2/2011 11:17:21 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
being in different OUs in an of itself has no impact on which computers an account can authenticate to.  
Post #652
Posted 6/19/2011 5:17:17 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/19/2011 5:53:10 PM
Posts: 2, Visits: 1
but 540 itself give the information of succsessful logon to WHAT?

Thanks
Post #736
Posted 6/19/2011 5:20:28 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/19/2011 5:53:10 PM
Posts: 2, Visits: 1
GLG (6/19/2011)
but 540 itself give the information of succsessful logon to WHAT?

Thanks


and how someone can distinguish between remote access with administrator privileges, or with user not having the same privileges?
Post #737
Posted 6/22/2011 9:46:13 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
540 means you logged on to the computer - it doesn't mean you can access anything.  authentication and access control are 2 different things.  if a user logs on they will at least have access to anything granted to EVERYONE, Authenticated Users and probably Domain Users and Users if they are a member of the same domain as the computer.  So check your permissions and see if you are using those principals in your ACLs. 

If you only want people from your OU to be able to access your computer in any way at all then you need to put those users in a group and limit the logon rights on your computer to that group.  See http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Logon-rights.  OUs control group policies but aren't access control.  You need to use groups for that.  It is not unusual to have a group and an OU named similarly and have the members.

Post #743
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:39pm