none
WinServer2008R2 Event Viewer Security log flood ID 4624

    Question

  • Dear people,

    I have been looking in our Security log from our Windows Server 2008 R2 Domain Controller.
    In the Security Log there are currently a total of 255.270 Events
    The Security Log does not hold more logs then for 1 day, this is something that is concerning me and I want to solve.
    The number of the event ID 4624 are hugh it hold 71.573 events.

    So I was wondering how can I solve the problem?
    I know Event ID: 4624 is: An account was successfully logged on.
    And I saw options to disable the reporting of this log, but this doesn't solve the problem that only makes the problem that I'm currently facing dissapear from my logs.
    What I also find kind of strange that it makes log at the middle of the night at time staps there is not even a single person in our company, besides this it comes from several users that can't be in the building since the door is locked.

    Is there anyone who can help me find and resolve this issue since its also eating some of the network resources.

    Key points:
    - Security Log gets flood with ID: 4624
    - Strange users login at the middle of the night
    - Security Log is full
    - Security Log is getting filled with ID 4624 for around 50 logs per minute
    - Our company has not more then 400 employees
    - We have 1 Terminal server from 10 users


    Here a printscreen of our log:


    • Edited by MrHoek Wednesday, June 26, 2013 8:00 AM
    Wednesday, June 26, 2013 7:47 AM

All replies

  • Hi, can you provide more details of one single 4624 entry (even if obscuring domain/machine names)?

    All the succesful logon (4624) came from the same ip address?

    Wednesday, June 26, 2013 8:47 AM
  • 1:
    An account was successfully logged on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    New Logon:
        Security ID:        2CONTACT\telfort
        Account Name:        telfort
        Account Domain:        2CONTACT
        Logon ID:        0x18c046dc
        Logon GUID:        {3095dd0b-88ae-31eb-5d31-17afcbaa780b}

    Process Information:
        Process ID:        0x0
        Process Name:        -

    Network Information:
        Workstation Name:    
        Source Network Address:    10.0.22.23
        Source Port:        64318

    Detailed Authentication Information:
        Logon Process:        Kerberos
        Authentication Package:    Kerberos
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


    2
    :
    An account was successfully logged on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    New Logon:
        Security ID:        SYSTEM
        Account Name:        PHDC01$
        Account Domain:        2CONTACT
        Logon ID:        0x18c03933
        Logon GUID:        {f9b18fe4-2324-890f-1c7c-1fe7b49163c6}

    Process Information:
        Process ID:        0x0
        Process Name:        -

    Network Information:
        Workstation Name:    
        Source Network Address:    127.0.0.1
        Source Port:        53948

    Detailed Authentication Information:
        Logon Process:        Kerberos
        Authentication Package:    Kerberos
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.



    About example 1, here you can see the user: Telfort, login but there was no one who could login on that computer since the company was closed.

    About example 2, I have no information for that one

    Wednesday, June 26, 2013 10:27 AM
  • Ok.

    Logon type 3 refers to Network logon (for example access to shared folder).

    There could be simply a batch doing it, or some kind of software that makes scan on shared folder and so on.

    for example a remediation platform like GFI LanGuard makes such type of logon, obviously even if there's no one in the office.

    The source ip is always the same?

    Wednesday, June 26, 2013 11:32 AM
  • Dear A. Guidotti,

    Thank you for your answer.
    I know what a Logon Type 3 is, but this is far from possible since the user Telfort has no shares. Its a restricted account and there for not able to make any connection.

    The source IP is always different, workstation/server IP is in every security event different.
    Now I'm curieus about the following idea's.

    1. If I understand you correctly then when I make sure that all the computers off in the company there may be no logs in the security with login

    2. Since our Security log is not older then a day since it already has reached the maximum size of logs I should increase the 128MB that is currently assigend as maximum?

    Wednesday, June 26, 2013 12:20 PM
  • I think I have found the reason why we have those anonymously login's in our workstations
    When I scan a workstation on shares it finds the following maps:
    C:\Windows; with share: ADMIN$
    C:\; with share: C$

    Now I was wondering if ths option in the GPO prevent that:
    - Network access: Shares that can be accessed anonymously

    The event that is created is:
    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    New Logon:
        Security ID:        ANONYMOUS LOGON
        Account Name:        ANONYMOUS LOGON
        Account Domain:        NT AUTHORITY
        Logon ID:        0x18bff520
        Logon GUID:        {00000000-0000-0000-0000-000000000000


    Could someone confirm this?
    • Edited by MrHoek Wednesday, June 26, 2013 2:41 PM Edit
    Wednesday, June 26, 2013 12:39 PM
  • I would like to raise the same question and support it as in forcing Microsoft or some of their employees to fix or provide at least a solution. This is getting out of hand. 
    Friday, February 14, 2014 7:15 AM