I am running a Win2012 server in VMware, I have installed IIS, NAP, VPN, DHCP, DNS, WDS, AD DS, AD CS. I have win7 clients in my domain, but they're not turned on.
The problem is, I am getting a crasy amount of events with ID 4634, 4624 and 4672. I am receiving 1 event every 2 seconds pretty much. They are all coming from my Win2012 server.
Logon event example:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Delegation
New Logon:
Security ID: SYSTEM
Account Name: DC-SERVER$
Account Domain: SKOLE
Logon ID: 0x20BE923
Logon GUID: GUID
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: fe80::e130:38a0:ae35:35bd
Source Port: 58047
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
The Impersonation changes between Delegation and Impersonation. The source port also changes all the time.
As you can see, these events occur a number of times in the exact same second. I have absolutely no idea what is causing this. I have googled and searched the forum for answers, but I haven't been able to find anything that helped.
And for anyone telling me to turn off audit – No I will not, I want to find the problem or get a good explanation.
Update:
Apparently I've had this problem for quite a while, but I haven't really noticed untill now. I have a snapshot of my server where I don't have NAP, VPN and AD CS installed but I'm still getting a ton of events. I am sure that this has something to do with AD. Anyone out there who can help?
Best Answer
Judging by the name of the server containing DC, I assume this is a domain controller.
Also note that the Logon Type is 3, meaning a network logon.
For 4624 and 4634 events with logon type 3:
You'll see these events quite a lot on a domain controller, as its main business is authenticating...
Generally these are very noisy and not that often used for actual forensics. Without other applications to filter out the noise.
For 4672 (Special logon events):
This comes from anything requiring special privileges.
Running a scheduled task with administrator privileges, an application that has run as administrator ticked on, or just logging on with an administrator account,...
You could review these and see what's running with special privileges and whether or not it should be.