A ton of Logon/off events in Event Viewer

Question

I am running a Win2012 server in VMware, I have installed IIS, NAP, VPN, DHCP, DNS, WDS, AD DS, AD CS. I have win7 clients in my domain, but they're not turned on.

The problem is, I am getting a crasy amount of events with ID 4634, 4624 and 4672. I am receiving 1 event every 2 seconds pretty much. They are all coming from my Win2012 server.

Logon event example:

An account was successfully logged on.
Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Impersonation Level:        Delegation

New Logon:
    Security ID:        SYSTEM
    Account Name:       DC-SERVER$
    Account Domain:     SKOLE
    Logon ID:       0x20BE923
    Logon GUID:     GUID

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   
    Source Network Address: fe80::e130:38a0:ae35:35bd
    Source Port:        58047

Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

The Impersonation changes between Delegation and Impersonation. The source port also changes all the time.

As you can see, these events occur a number of times in the exact same second. I have absolutely no idea what is causing this. I have googled and searched the forum for answers, but I haven't been able to find anything that helped.

And for anyone telling me to turn off audit - No I will not, I want to find the problem or get a good explanation.

Update:

Apparently I've had this problem for quite a while, but I haven't really noticed untill now. I have a snapshot of my server where I don't have NAP, VPN and AD CS installed but I'm still getting a ton of events. I am sure that this has something to do with AD. Anyone out there who can help?

Answer 1

Judging by the name of the server containing DC, I assume this is a domain controller.
Also note that the Logon Type is 3, meaning a network logon.

For 4624 and 4634 events with logon type 3:

You'll see these events quite a lot on a domain controller, as its main business is authenticating...
Generally these are very noisy and not that often used for actual forensics. Without other applications to filter out the noise.

On domain controllers you often see one or more logon/logoff pairs immediately following authentication events for the same user. But these logon/logoff events are generated by the group policy client on the local computer retrieving the applicable group policy objects from the domain controller so that policy can be applied for that user. Then approximately every 90 minutes, Windows refreshes group policy and you see a network logon and logoff on the domain controller again. These network logon/logoff events are little more than noise.

...

Successful network logon and logoff events are little more than “noise “on domain controllers and member servers because of the amount of information logged and tracked. Unfortunately you can’t just disable successful network logon/logoff events without also losing other logon/logoff events for interactive, remote desktop, etc. Noise can’t be configured out of the Windows security log; that’s the job of your log management / SIEM solution.

For 4672 (Special logon events):

This comes from anything requiring special privileges.
Running a scheduled task with administrator privileges, an application that has run as administrator ticked on, or just logging on with an administrator account,...

You could review these and see what's running with special privileges and whether or not it should be.