There are two types of successful login types with Windows 2000.
Event ID 528 describes a successful logon. However, whereas NT used
event ID 528 for every type of logon, Windows 2000 uses a different
event ID for network logons. When you map a drive to a server, connect
to the server's registry, or otherwise perform a network logon, Windows
2000 logs event ID 540. This event is useful because it lets you
separate network logons from other logon types.
Kerberos is the standard network authentication protocol between Windows
2000 resources.
With Kerberos authentication, the server does not need to go to a domain
controller. It can authenticate the client by examining credentials
presented by the client. Clients can obtain credentials for a particular
server once and reuse them throughout a network logon session.
Event 540 & Bypass Traverse Checking:
Bypass Traverse Checking is defined in each respective computer's Local
Policy Settings:
Bypass Traverse Checking
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
Bypass Traverse Checking defined:
Determines which users can traverse directory trees even though the user
may not have permissions on the traversed directory. This privilege does
not allow the user to list the contents of a directory, only to traverse
directories.
This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and
servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Power Users
Users
Everyone
Domain Controllers
Administrators
Authenticated Users
Everyone
Hope this helps.
Rob Zabroky
Austin Texas
-----Original Message-----
From: Dave Gonsalves [mailto:davegon (at) comcast (dot) net [email concealed]]
Sent: Saturday, September 11, 2004 12:51 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Windows2000 Security events
Hi All,
Has anyone seen this type of Windows Security Event Log activity before?
This was found on multiple computers.... All within a 2 minute time
frame...same username and domain.
EVENT ID: 576
Special privileges assigned to new logon:
User Name: username
Domain:
Logon ID: (0x0,0x5F893A8)
Assigned: SeChangeNotifyPrivilege
EVENT ID: 540
Successful Network Logon:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
EVENT ID: 538
User Logoff:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3
One of the computers provided a source IP address so I have checked the
computer of the user in question for root kits, trojans, ect. It is
fully
patched and has AV up to date
There are two types of successful login types with Windows 2000.
Event ID 528 describes a successful logon. However, whereas NT used
event ID 528 for every type of logon, Windows 2000 uses a different
event ID for network logons. When you map a drive to a server, connect
to the server's registry, or otherwise perform a network logon, Windows
2000 logs event ID 540. This event is useful because it lets you
separate network logons from other logon types.
Kerberos is the standard network authentication protocol between Windows
2000 resources.
With Kerberos authentication, the server does not need to go to a domain
controller. It can authenticate the client by examining credentials
presented by the client. Clients can obtain credentials for a particular
server once and reuse them throughout a network logon session.
Event 540 & Bypass Traverse Checking:
Bypass Traverse Checking is defined in each respective computer's Local
Policy Settings:
Bypass Traverse Checking
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
Bypass Traverse Checking defined:
Determines which users can traverse directory trees even though the user
may not have permissions on the traversed directory. This privilege does
not allow the user to list the contents of a directory, only to traverse
directories.
This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and
servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Power Users
Users
Everyone
Domain Controllers
Administrators
Authenticated Users
Everyone
Hope this helps.
Rob Zabroky
Austin Texas
-----Original Message-----
From: Dave Gonsalves [mailto:davegon (at) comcast (dot) net [email concealed]]
Sent: Saturday, September 11, 2004 12:51 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Windows2000 Security events
Hi All,
Has anyone seen this type of Windows Security Event Log activity before?
This was found on multiple computers.... All within a 2 minute time
frame...same username and domain.
EVENT ID: 576
Special privileges assigned to new logon:
User Name: username
Domain:
Logon ID: (0x0,0x5F893A8)
Assigned: SeChangeNotifyPrivilege
EVENT ID: 540
Successful Network Logon:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
EVENT ID: 538
User Logoff:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3
One of the computers provided a source IP address so I have checked the
computer of the user in question for root kits, trojans, ect. It is
fully
patched and has AV up to date
thanks,
Dave
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]