R
r. wales
Guest
Every morning I review the logs on my DC's. On my PDC this morning I saw
Security events logged through the night for our users and workstations. We
shut down the workstations at the end of the day so no machines were actually
on. The events I saw were event 674, Service Ticket Renewed. Samples
provided below:
-- entry for workstation/server
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 674
Date: 5/28/2008
Time: 5:05:54 AM
User: NT AUTHORITY\SYSTEM
Computer: <servername>
Description:
Service Ticket Renewed:
User Name: <workstationname>$@<domainname>
User Domain: <domainname>
Service Name: krbtgt
Service ID: <domain>\krbtgt
Ticket Options: 0x2
Ticket Encryption Type: 0x17
Client Address: 127.0.0.1
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-- entry for user
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 674
Date: 5/28/2008
Time: 4:59:56 AM
User: NT AUTHORITY\SYSTEM
Computer: <servername>
Description:
Service Ticket Renewed:
User Name: <username>@<domainname>
User Domain: <domainname>
Service Name: krbtgt
Service ID: <domain>\krbtgt
Ticket Options: 0x2
Ticket Encryption Type: 0x17
Client Address: 127.0.0.1
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I occasionally see one or two of these entries through the night. However,
last night it appears that every one of my users and machines turns up at
least once. The client address for all of the log entries is the local
127.0.0.1.
Any suggestions as to why these are showing up now? Does this look like
anything to be concerned about? The only changes made were the installation
of CA Antivirus on Monday and log changes for an hour or so on Tuesday
afternoon. Logon auditing was changed from -Failure- to -Success and
Failure- for testing and then back to -Failure- only. Could this have
triggered it?
Server info: win2k3 standard sp2; fully patched
Thanks in advance!
Security events logged through the night for our users and workstations. We
shut down the workstations at the end of the day so no machines were actually
on. The events I saw were event 674, Service Ticket Renewed. Samples
provided below:
-- entry for workstation/server
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 674
Date: 5/28/2008
Time: 5:05:54 AM
User: NT AUTHORITY\SYSTEM
Computer: <servername>
Description:
Service Ticket Renewed:
User Name: <workstationname>$@<domainname>
User Domain: <domainname>
Service Name: krbtgt
Service ID: <domain>\krbtgt
Ticket Options: 0x2
Ticket Encryption Type: 0x17
Client Address: 127.0.0.1
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-- entry for user
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 674
Date: 5/28/2008
Time: 4:59:56 AM
User: NT AUTHORITY\SYSTEM
Computer: <servername>
Description:
Service Ticket Renewed:
User Name: <username>@<domainname>
User Domain: <domainname>
Service Name: krbtgt
Service ID: <domain>\krbtgt
Ticket Options: 0x2
Ticket Encryption Type: 0x17
Client Address: 127.0.0.1
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I occasionally see one or two of these entries through the night. However,
last night it appears that every one of my users and machines turns up at
least once. The client address for all of the log entries is the local
127.0.0.1.
Any suggestions as to why these are showing up now? Does this look like
anything to be concerned about? The only changes made were the installation
of CA Antivirus on Monday and log changes for an hour or so on Tuesday
afternoon. Logon auditing was changed from -Failure- to -Success and
Failure- for testing and then back to -Failure- only. Could this have
triggered it?
Server info: win2k3 standard sp2; fully patched
Thanks in advance!