Excessive computer account logon/logoff loggining on security log

[Markko Meriniit]

Hello,

although I know what events 538/540 pairs are in security log and the
amount logged is not yet problem because it's not about every computer, but
I'm getting kind of worried, if there going to be more and more computers
like that. Server in question is file/print server, domain member. And we
get literally hundred 538/540 events per second for one computer account.
Events are :
540 Successful Network Logon:
User Name: ARV0216$
Domain: DOMAIN
Logon ID: (0x0,0x12B05AB3)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: %8

538 User Logoff:
User Name: ARV0216$
Domain: DOMAIN
Logon ID: (0x0,0x12B05AB3)
Logon Type: 3

These event pairs occur up to 112(maybe even more, but it was largest number
what I saw) times per second, that is 56 pairs per second.
I did little statistics for three computer accounts:
ARV0161
There was some regularity for this account, always 36 events in time. Mostly
36 per second but sometimes 36 per 2 second. And amount for this 36 event
bursts per minute varied from 1 to 9 per minute.
Events generated for this account for two hour period was about 10 000
---------
ARV0182
I counted max 96 events per second for this account and 3200 events for half
hour period. Didn't see any regularities for this account.
---------
ARV0190
I counted max 112 events per second and max 883 events per minute for this
account and 5100 events for 45 minute hour period. Didn't see any
regularities for this account.
---------------------------------

Is it normal for file/print servers? And why does some computer must do
logon/logoff some 440 times in one minute.. I took a look for local computer
event log and didn't see much activity. Only events that were happened in
same time sometimes were Security 515 events:
A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Logon Process Name: KSecDD

Any comments or experiences from someone? Thank you.

Markko Meriniit

 

[Patrick Steranka]

I've seen similar things if you have a web server running on a host and
you have Integrated Windows Authentication turned on. Each web request
requires authentication to be passed.

So, do you have other things running on that host that could be causing this?
Email, Web, some other app that uses IWA (Integrated Windows Authentication)?

Patrick

 

[Markko Meriniit]

I've seen similar things if you have a web server running on a host and
you have Integrated Windows Authentication turned on. Each web request
requires authentication to be passed.

So, do you have other things running on that host that could be causing
this?
Email, Web, some other app that uses IWA (Integrated Windows
Authentication)?

Nothing, although the IISAdmin service and WWW service are running(some
year ago there was MS Project server for testing purposes but not anymore)
there are no web sites published. But its worth to try anyway, I can disable
both services without disabling any functionality the server has. There is
only Backup Exec 8 and HP printer software(drivers, Resource Maanger,
Digital Sender) installed that is maybe worth mentioning. Other is local
soft with what users don't interact or use over network(powrchute, raid
manager, symantec client, adobe reader, etc).

Markko Meriniit

 

[Patrick Steranka]

Nothing, although the IISAdmin service and WWW service are running(some
year ago there was MS Project server for testing purposes but not anymore)
there are no web sites published. But its worth to try anyway, I can disable
both services without disabling any functionality the server has. There is
only Backup Exec 8 and HP printer software(drivers, Resource Maanger,
Digital Sender) installed that is maybe worth mentioning. Other is local
soft with what users don't interact or use over network(powrchute, raid
manager, symantec client, adobe reader, etc).

Markko Meriniit

Markko,
Can you run a network sniffer (there's one built into Win2000/2003 server)?
This should let you see what the heck the clients are doing that's forcing
that many loggins.

Patrick

 

[Markko Meriniit]

Can you run a network sniffer (there's one built into Win2000/2003
server)?
This should let you see what the heck the clients are doing that's forcing
that many loggins.

Did that and I guess that I must move to another group with my problem. I
happened to catch some these logon/logoff bursts and these seemed to be
ordinary file usage processes from user side. User opened pdf file and with
it the workstation did some 50 logon/logoff procedures. From Wireshark
capture I saw that most of them were probably because of this cycle which
repeated many times:
11 09:01:04.058275 workstation fileserver SMB Tree Connect
AndX Request, Path: \\FAILSERVER\IPC$
12 09:01:04.058325 fileserver workstation SMB Tree Connect
AndX Response
13 09:01:04.058638 workstation fileserver SMB NT Create AndX
Request, Path: \srvsvc
14 09:01:04.058839 fileserver workstation SMB NT Create AndX
Response, FID: 0x4002
15 09:01:04.059278 workstation fileserver DCERPC Bind: call_id:
1 SRVSVC V3.0
16 09:01:04.059380 fileserver workstation DCERPC Bind_ack:
call_id: 1 accept max_xmit: 4280 max_recv: 4280
18 09:01:04.059792 workstation fileserver SRVSVC
NetrShareGetInfo request, \\FAILSERVER, FILESHARE
20 09:01:04.060020 fileserver workstation SRVSVC
NetrShareGetInfo response
21 09:01:04.060407 workstation fileserver SMB Close Request,
FID: 0x4002
22 09:01:04.060505 fileserver workstation SMB Close Response
23 09:01:04.061287 workstation fileserver SMB NT Create AndX
Request, Path: \wkssvc
24 09:01:04.061475 fileserver workstation SMB NT Create AndX
Response, FID: 0xc007
25 09:01:04.061925 workstation fileserver DCERPC Bind: call_id:
1 WKSSVC V1.0
26 09:01:04.062022 fileserver workstation DCERPC Bind_ack:
call_id: 1 accept max_xmit: 4280 max_recv: 4280
27 09:01:04.062433 workstation fileserver WKSSVC
NetrWkstaGetInfo request, WKS_INFO_100 level
28 09:01:04.062561 fileserver workstation WKSSVC
NetrWkstaGetInfo response
29 09:01:04.062927 workstation fileserver SMB Close Request,
FID: 0xc007
30 09:01:04.063023 fileserver workstation SMB Close Response
31 09:01:04.066954 workstation fileserver SMB Session Setup
AndX Request
32 09:01:04.068027 fileserver workstation SMB Session Setup
AndX Response
33 09:01:04.068710 workstation fileserver SMB Tree Connect
AndX Request, Path: \\FAILSERVER\IPC$
34 09:01:04.068764 fileserver workstation SMB Tree Connect
AndX Response
35 09:01:04.069218 workstation fileserver SMB Trans2 Request,
GET_DFS_REFERRAL, File: \FAILSERVER\FILESHARE
36 09:01:04.069289 fileserver workstation SMB Trans2
Response, GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE
39 09:01:04.070838 workstation fileserver SMB Tree Disconnect
Request
40 09:01:04.070872 fileserver workstation SMB Tree Disconnect
Response
41 09:01:04.071044 workstation fileserver SMB Logoff AndX
Request
42 09:01:04.071176 fileserver workstation SMB Logoff AndX
Response
43 09:01:04.071323 workstation fileserver SMB Tree Disconnect
Request
44 09:01:04.071652 fileserver workstation SMB Tree Disconnect
Response
45 09:01:04.073656 workstation fileserver SMB Session Setup
AndX Request
46 09:01:04.074713 fileserver workstation SMB Session Setup
AndX Response
47 09:01:04.075411 workstation fileserver SMB Tree Connect
AndX Request, Path: \\FAILSERVER\IPC$
48 09:01:04.075464 fileserver workstation SMB Tree Connect
AndX Response
49 09:01:04.075920 workstation fileserver SMB Trans2 Request,
GET_DFS_REFERRAL, File: \FAILSERVER\FILESHARE
50 09:01:04.075983 fileserver workstation SMB Trans2
Response, GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE
51 09:01:04.076785 workstation fileserver SMB Logoff AndX
Request
52 09:01:04.076821 fileserver workstation SMB Logoff AndX
Response
53 09:01:04.077062 workstation fileserver SMB Tree Disconnect
Request
54 09:01:04.077374 fileserver workstation SMB Tree Disconnect
Response
----------------

But I just found out that there was Network Scanning enabled on Symantec
Client File System Autoprotect section. I checked this off and waiting to
see, if this does anything or not.

Markko Meriniit

 

[Markko Meriniit]

But I just found out that there was Network Scanning enabled on Symantec
Client File System Autoprotect section. I checked this off and waiting to
see, if this does anything or not.

Helped nothing, no decrease on logon/logoff events.

Markko Meriniit