security log filling with events 538/540/576

[Brad]

We just set up a new SBS 2003 premium server and we're getting a lot of
events 538/540/576 in the security log, I just counted 140 entries in 4
minutes. We have Symantec Endpoint small business 11.0 installed on the
server and MozyPro (an online backup utility). Exchange, IIS, and SQL 2005
are also running and there are 6 client PCs.

I've tried shutting down the services for SQL server, Symantec, and MozyPro
to see if that stopped/slowed the events and that didnt seem to have an
effect. Is turning off the auditing for those events the only solution?
here are some sample entries:

******************************************
Event Category: Logon/Logoff
Event ID: 540
Date: 3/18/2008
Time: 9:40:21 AM
User: NT AUTHORITY\SYSTEM
Computer: **servername
Description:
Successful Network Logon:
User Name: **servername$
Domain: **domain
Logon ID: (0x0,0x7B32DD9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {63fe393a-b528-d3c6-a82b-89e8f443800f}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 0


********************************************************
Event Category: Logon/Logoff
Event ID: 576
Date: 3/18/2008
Time: 9:57:01 AM
User: NT AUTHORITY\SYSTEM
Computer: **servername
Description:
Special privileges assigned to new logon:
User Name: **servername$
Domain: **domain
Logon ID: (0x0,0x7B718C9)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege

 

[Havre]

RE: security log filling with events 538/540/576

I am having the same issues, did you ever find a solution to this issue. When
we moved the PDC Emulator to another server that server began to have the
same issue along with 100% CPU Utilization.
--
-Havre


"Brad" wrote:

> We just set up a new SBS 2003 premium server and we're getting a lot of
> events 538/540/576 in the security log, I just counted 140 entries in 4
> minutes. We have Symantec Endpoint small business 11.0 installed on the
> server and MozyPro (an online backup utility). Exchange, IIS, and SQL 2005
> are also running and there are 6 client PCs.
>
> I've tried shutting down the services for SQL server, Symantec, and MozyPro
> to see if that stopped/slowed the events and that didnt seem to have an
> effect. Is turning off the auditing for those events the only solution?
> here are some sample entries:
>
> ******************************************
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 3/18/2008
> Time: 9:40:21 AM
> User: NT AUTHORITY\SYSTEM
> Computer: **servername
> Description:
> Successful Network Logon:
> User Name: **servername$
> Domain: **domain
> Logon ID: (0x0,0x7B32DD9)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {63fe393a-b528-d3c6-a82b-89e8f443800f}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 127.0.0.1
> Source Port: 0
>
>
> ********************************************************
> Event Category: Logon/Logoff
> Event ID: 576
> Date: 3/18/2008
> Time: 9:57:01 AM
> User: NT AUTHORITY\SYSTEM
> Computer: **servername
> Description:
> Special privileges assigned to new logon:
> User Name: **servername$
> Domain: **domain
> Logon ID: (0x0,0x7B718C9)
> Privileges: SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
> SeEnableDelegationPrivilege