0

Recently a user asked me if I would look into the VPN connection because they were being booted off constantly. I went to Event Viewer to see the logon/logoff events from last night.

Out of the 47k security events from the last few days, I had 44k of them. They are almost all Event #540 "Successful Network Logon" and #576 "Special privileges assigned to new logon."

Similar to this question, but it wasn't really answered: A lot of logon/logoffs events in Windows event log

Why is this happening? Is it an issue? If so what are steps to fix it?

Special privileges assigned to new logon:
    User Name:  gtaylor
    Domain:     Domain
    Logon ID:       (0x0,0x30D14A8)
    Privileges: SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege
            SeDebugPrivilege
            SeSystemEnvironmentPrivilege
            SeLoadDriverPrivilege
            SeImpersonatePrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and 

Successful Network Logon:
    User Name:  gtaylor
    Domain:     Domain
    Logon ID:       (0x0,0x3282453)
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   D-7P9LDP1
    Logon GUID: -
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 192.168.1.175
    Source Port:    54450


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Pic of Event Viewer: https://i.stack.imgur.com/Cyu0v.jpg

Community
  • 1
gtaylor85
  • 199
  • 2
  • 3
  • 14

1 Answers1

2

Review the details logged for each event. They should indicate which host or IP address is initiating these requests. Are they all coming from your workstation, or from somewhere else? If your username is used for any network services in your environment, consider setting up service accounts instead.

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
  • Thanks for the reply. There is no IP address listed under the details. I also have never used my account as a service account. I see the area that should have IP or Workstation name on other events, but all of the random spot checking I've done have yet to show an IP/WS name. – gtaylor85 Apr 28 '11 at 18:37
  • Would you be able to add a code block containing the full text of one or more of these logged events? – Skyhawk Apr 28 '11 at 19:15
  • Thanks again. I edited my question to reflect 2 logged events, and a SS of my Event Viewer. The latest events, reflected in the code blocks above, have an IP that is my local WS. The Events from earlier today didn't have an IP, but the rest of the info was the same. – gtaylor85 Apr 28 '11 at 20:00