Professional Documents
Culture Documents
This appendix contains information that can help you interpret security event messages.
When security event auditing is enabled, you can review security-related events by using
Event Viewer, a Microsoft Management Console snap-in. For information about enabling secu-
rity event auditing, see “Logon and Authentication” and “Authorization and Access Control”
in this book.
In this appendix:
Viewing Security Event Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
System Event Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Object Access Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Privilege Use Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Detailed Tracking Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Policy Change Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
User Management Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Account Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Directory Service Access Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Related Information
■ For more information about security events, see “Auditing Microsoft Windows Security
Events” in the Microsoft® Windows® Security Resource Kit.
1
2 Appendix E: Security Event Messages
Using the event ID number, you can locate the information you need in this appendix. The
security event messages are organized by category and include the following categories of
event messages:
■ System
■ Logon
■ Object access
■ Privilege use
■ Detailed tracking
■ Policy change
■ User management
■ Account logon
■ Directory service access
To simplify scanning and finding the information that you need, the event listings are sorted
numerically from lowest event ID number to highest. This numerical ordering is also helpful
because related security events are generally grouped together.
Note In several cases, numerical grouping of like events does not apply. These events are
cross-referenced in both their numerical and logical locations.
■ Configurable information that indicates whether the event can be configured to log
successes (that is, something happened), failures (something failed to happen), or both
failures and successes.
■ Formal name, which is the formal name for the security event. This information is use-
ful for programmers.
Note Many of the error event messages in this appendix apply to Active Directory®–based
environments and are not seen on Microsoft® Windows® XP Professional.
515 A trusted logon process has registered with the Local Security
Authority.
Parameters: Logon process name.
Configurable Information: Success
Formal name: SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
4 Appendix E: Security Event Messages
Logon Events
Windows XP Professional and Windows 2000 Server generate logon-related events when a
user logs on interactively or remotely. These events are generated on the computer to which
the logon attempt was made. For more information about the different types of logons and the
logon process, see “Logon and Authentication” in this book.
529 The logon attempt was made with an unknown user name or a
known user name with a bad password.
Parameters: User name, domain, or workstation that controls the user account, logon type,
source of the logon attempt, authentication package used for the logon attempt, name of the
workstation at which the logon attempt was made.
530 The user account tried to log on outside of the allowed time.
Parameters: User name, domain, or workstation that controls the user account, logon type,
source of the logon attempt, authentication package used for the logon attempt, name of the
workstation at which the logon attempt was made.
Logon time restrictions can only be configured for domain accounts. However, for non-
domain accounts, it is still possible to configure logon time restrictions programmatically.
6 Appendix E: Security Event Messages
The Net Logon service is needed for domain-style logon attempts or logon attempts to an
account that does not exist on the workstation at which the logon attempt is occurring.
In some cases, the reason for the logon failure might not be known. To find the individual sta-
tus codes, search for the files Ntstatus.h or Winerror.h, and then open them by using a text
editor such as Notepad.
539 The account was locked out at the time the logon attempt was made.
Parameters: User name, domain, or workstation that controls the user account, logon type,
source of the logon attempt, authentication package used for the logon attempt, name of the
workstation from which the logon attempt was made.
544 Main mode authentication failed because the peer did not provide a
valid certificate or the signature was not validated.
Parameters: Peer identity (the other host involved in the authentication), a filter indicating a
subnet, a particular host, or all computers.
546 IKE security association establishment failed because the peer sent a
proposal that is not valid. A packet was received that contained data that
is not valid.
Parameters: Mode (main or quick, depending when the error occurred), a filter indicating a
subnet, a particular host, or all computers), incorrect attribute, expected value, received value.
548 The security ID (SID) from a trusted domain does not match the
home domain SID of the client.
Parameters: User name, domain name, logon type, logon process, authentication package,
workstation name, impersonated domain.
During cross-forest authentication, all SIDs corresponding to untrusted namespaces are fil-
tered out. This event is triggered when this filtering action removes all SIDs.
This event message is generated when IKE has a large number of pending requests to establish
security associations and is beginning denial-of-service prevention mode. This might be nor-
mal if caused by high computer loads or a large number of client connection attempts. It also
might be the result of a denial-of-service attack against IKE. If this is a denial-of-service attack,
there is usually many audits for failed IKE negotiations to spoofed IP addresses. Otherwise,
the computer is only extremely heavily loaded.
This event message is generated when a user is connected to a terminal server session over the
network. It appears on the terminal server.
Objects are accessed with handles. This event means that a handle was opened. It does not
mean that the object was actually accessed.
563 An attempt was made to open an object with the intent to delete it.
Parameters: Object server, object type, object name, handle ID, operation ID, process ID, pri-
mary user name, primary domain, primary logon ID, client user name, client domain, client
logon ID, accesses, privileges.
This event message is also used to audit directory service access events.
A handle is created with certain granted permissions (read, write, and so on). When the han-
dle is used, one audit is generated for each of the permissions that was used.
Appendix E: Security Event Messages 13
568 An attempt was made to create a hard link to a file that is being
audited.
Parameters: Primary user name, primary domain, primary logon ID, object name, link name.
The master key is used by the CryptProtectData and CryptUnprotectData routines, and
Encrypting File System (EFS). The master key is backed up each time a new one is created
(the default is 90 days). The key is usually backed up to a domain controller.
597 A data protection master key was recovered from a recovery server.
Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery
key ID (identifying the key on the domain controller used to encrypt the master key), failure
reason.
Parameters: Process ID, image file name (the name of the process), user name, domain name,
logon ID.
IPSec policy involves settings that need to be applied to the computer. The IPSec audits
include filters (what traffic should be processed by IPSec) and filter actions (such as encryp-
tion or authentication).
For more information about the user rights that are being audited, see the appendix “User
Rights” in this book.
This event is recorded on the domain controller on which the trusted domain object (TDO) is
created and not on any other domain controller to which the TDO is replicated.
This event is only recorded on the domain controller on which the trusted domain object
(TDO) is deleted.
This event is only recorded on the domain controller on which the trusted domain object
(TDO) is modified.
Appendix E: Security Event Messages 19
System access permissions can be interactive, network, batch, service, proxy, deny interactive,
deny network, deny batch, deny service, remote interactive, or deny remote interactive.
System access permissions can be interactive, network, batch, service, proxy, deny interactive,
deny network, deny batch, deny service, remote interactive, or deny remote interactive.
When a namespace element in one forest overlaps a namespace element in another forest, it
can lead to ambiguity in resolving a name belonging to one of the namespace elements. This
overlap is also called a collision. Not all parameters are valid for each namespace element. For
example, parameters such as DNS name, NetBIOS name, and SID are not valid for a “TopLev-
elName” namespace element.
20 Appendix E: Security Event Messages
This event message is generated when forest trust information is updated and one or more
entries are added. One event message is generated per added entry. If multiple entries are
added, deleted, or modified in a single update of the forest trust information, all the generated
event messages have a single unique identifier called an operation ID. This allows you to deter-
mine that the multiple generated event messages are the result of a single operation. Not all
parameters are valid for each entry type. For example, parameters such as DNS name, Net-
BIOS name and SID are not valid for an entry of type “TopLevelName”.
This event message is generated when forest trust information is updated and one or more
entries are deleted. One event message is generated per deleted entry. If multiple entries are
added, deleted, or modified in a single update of the forest trust information, all the generated
event messages have a single unique identifier called an operation ID. This allows you to deter-
mine that the multiple generated event messages are the result of a single operation. Not all
parameters are valid for each entry type. For example, parameters such as DNS name, Net-
BIOS name, and SID are not valid for an entry of type “TopLevelName”.
This event message is generated when forest trust information is updated and one or more
entries are modified. One event message is generated per modified entry. If multiple entries
are added, deleted, or modified in a single update of the forest trust information, all the gen-
erated event messages have a single unique identifier called an operation ID. This allows you
Appendix E: Security Event Messages 21
to determine that the multiple generated event messages are the result of a single operation.
Not all parameters are valid for each entry type. For example, parameters such as DNS name,
NetBIOS name and SID are not valid for an entry of type “TopLevelName”.
In addition, from event 648 to event 685, some events include the phrase
SECURITY_DISABLED in their formal names. This means that these groups cannot be used
to grant permissions in access checks. If the SID representing a security-disabled group
appears in a user’s token, it is only used to verify deny access control entries (ACEs) during an
access check. A SECURITY_ENABLED group is used to verify all ACEs during an access
check.
For more information about access tokens and the roles and use of local, global, or universal
groups, see “Authorization and Access Control” in this book.
This happens when a user attempts to log on unsuccessfully multiple times (the number of
attempts is configured by the administrator).
SECURITY_DISABLED in the formal name means that this group cannot be used to grant
permissions in access checks. If the SID representing a security-disabled group appears in a
user’s token, it is only used to verify deny access control entries (ACEs) during an access
check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.
For more information about access tokens and the roles and usage of local, global, or univer-
sal groups, see “Authorization and Access Control” in this book.
This event occurs on the Key Distribution Center (KDC) when a Kerberos logon attempt takes
place. One AS ticket is granted per logon session.
This event occurs on the KDC and means that a user presented an AS ticket and was given a
TGS ticket for some service.
This event occurs on the KDC and is currently only caused by non-Windows-based clients
because Windows-based clients do not renew tickets, but reacquire them instead. This event
occurs on the KDC user name of the client.
Appendix E: Security Event Messages 33
This event message is generated on the KDC for reasons such as the user typing in a wrong
password, a large difference between the clock time on the client and the KDC, or a smart card
logon error.
This audit appears on the domain controller or wherever the account exists. The following
error codes are possible:
In each of these events, descriptive text gives detailed information about each specific logon
attempt. Also, on Windows XP Professional you can enable success and failure auditing of the
Account Logon category of events, which enables the following events:
The following account logon events are included in “Logon Events” earlier in this appendix: