Event Viewer-Security

Event Viewer plays an important role in simply viewing Computer login information, checking whether the system has errors, and whether the system has been intruded. Microsoft uses event IDs to represent some information for convenience, below is the correspondence between WIN2003 I found from Microsoft.

Event ID: 517 audit log cleared
Event ID: 528 the client connection IP address is displayed after successful logon.
Event ID: 683 you can view the client computer name for session interruption from winstation
Event ID: 624 User Account Created
Event ID: 626 the user account is enabled.
Event ID: 627 the user password has been changed
Event ID: 628 set the User Password

Windows Server 2003 Security Event ID analysis
According to the following ID, we can quickly identify by Microsoft? The Windows Server 2003 operating system generates security events. What exactly does the event mean.

I. Account Logon Events

The following shows the security events generated by the "Audit Account Logon Events" security template settings.

672: The AS ticket has been issued and verified.

673: The authorization ticket service (TGS) ticket is authorized. TGS is a ticket issued by the Kerberos v5 ticket Authorization Service (TGS). It allows users to authenticate specific services in the domain.

674: The security subject has updated the AS ticket or TGS ticket.

675: Pre-authentication failed. This event is generated in the Key Distribution Center (KDC) when you type an incorrect password.

676: authentication ticket request failed. This event is not generated in members of Windows XP Professional or Windows Server family.

677: The TGS ticket is unauthorized. This event is not generated in members of Windows XP Professional or Windows Server family.

678: the account has been successfully mapped to the domain account.

681: Logon Failed. Attempt to log on to the domain account. This event is not generated in members of Windows XP Professional or Windows Server family.

682: the user has reconnected to the disconnected Terminal Server session.

683: disconnect the Terminal Server session without canceling the cancellation.

Ii. account management events

The following shows the security events generated by the "Audit Account Management" security template settings.

624: the user account has been created.

627: the user password has been changed.

628: the user password has been set.

630: the user account has been deleted.

631: The global group has been created.

632: the member has been added to the global group.

633: the member has been deleted from the global group.

634: The Global Group has been deleted.

635: a local group has been created.

636: the member has been added to the local group.

637: the member has been deleted from the local group.

638: the local group has been deleted.

639: the local group account has been changed.

641: The global group account has been changed.

642: the user account has been changed.

643: The Domain Policy has been modified.

644: the user account is automatically locked.

645: The computer account has been created.

646: The computer account has been changed.

647: The computer account has been deleted.

648: The Security disabled local security group has been created.

Note:

In the official name, SECURITY_DISABLED means that this group cannot be used to authorize access checks.

649: The Security disabled local security group has been changed.

650: the member has been added to the security-disabled local security group.

651: the member has been deleted from the disabled security Local Security Group.

652: The Security disabled local group has been deleted.

653: The Security disabled global group has been created.

654: The Security disabled global group has been changed.

655: the member has been added to the disabled security global group.

656: the member has been deleted from the disabled security global group.

657: The Globally disabled security group has been deleted.

658: the security-enabled universal group has been created.

659: the security-enabled universal group has been changed.

660: the member has been added to the security-enabled universal group.

661: the member has been deleted from the security-enabled universal group.

662: the security-enabled general-purpose group has been deleted.

663: The Security disabled universal group has been created.

664: The Security disabled general group has been changed.

665: the member has been added to the disabled security group.

666: the member has been deleted from the disabled security group.

667: The Security disabled general group has been deleted.

668: The group type has been changed.

684: The security descriptor of the Management Group member has been set.

Note:

On the domain controller, every 60 Minutes, the background thread searches all the members of the Management Group (such as the domain, enterprise, and architecture administrator) and applies a fixed security descriptor to it. This event has been recorded.

685: the account name has been changed.

Iii. Directory Service Access Events

The following shows the security events generated by the "Audit Directory Service Access" security template settings.

566: A general object operation occurs.

Iv. logon event ID

528: the user successfully logs on to the computer.

529: Logon Failed. Attempt to log on with an unknown user name or known user name but incorrect password.

530: Logon Failed. Try to log on outside of the permitted time.

531: Logon Failed. Attempt to log on with a disabled account.

532: Logon Failed. Try to log on with an expired account.

533: Logon Failed. User attempts to log on to the specified computer are not allowed.

534: Logon Failed. The user attempts to log on with an unsupported password.

535: Logon Failed. The password of the specified account has expired.

536: Logon Failed. The. Net Logon Service is not started.

537: Logon Failed. The logon attempt fails for other reasons.

Note:

In some cases, the cause of Logon failure may be unknown.

538: the cancellation process has been completed.

539: Logon Failed. The account is locked when you try to log on.

540: the user successfully logs on to the network.

541: the main mode of Internet Key Exchange (IKE) authentication between the local computer and the listed peer-to-peer client identity (Security Association established) has been completed, or the data channel has been established in quick mode.

542: the data channel has been terminated.

543: The main mode has been terminated.

Note:

This situation occurs if the security association time limit (8 hours by default) expires, the policy is changed, or the peer-to-peer termination occurs.

544: The primary Mode Authentication fails because the peer client does not provide a valid certificate or the signature is invalid.

545: Authentication in main mode fails due to Kerberos failure or invalid password.

546: The proposal sent by the peer client is invalid, causing the establishment of IKE Security Association to fail. The received package contains invalid data.

547: an error occurs during the IKE handshake.

548: Logon Failed. The security identifier (SID) from the trusted domain does not match the account domain SID of the client.

549: Logon Failed. When the forest performs identity authentication, all the sid related to the untrusted namespace will be filtered out.

550: A notification message that can be used to indicate possible DoS attacks.

551: the user has started the logout process.

552: the user uses clear creden。 to successfully log on to the computer that another user has logged on.

682: the user has reconnected to the disconnected Terminal Server session.

683: disconnect the Terminal Server session if the user has not logged out. Note: This event is generated when you connect to the terminal server session over the network. This event appears on the terminal server.

V. Object Access Events

The following shows the security events generated by the "Audit Object Access" security template settings.

560: the access permission has been granted to an existing object.

562: The handle pointing to the object has been closed.

563: Try to open an object and delete it.

Note:

When the FILE_Delete_ON_CLOSE tag is specified in Createfile (), this event can be used in the file system.

564: the protected object has been deleted.

565: the access permission has been granted to the existing object type.

567: The permission associated with the handle is used.

Note:

When creating a handle, you have granted it specific permissions, such as reading and writing. When a handle is used, a maximum of one audit can be generated for each used permission.

568: try to create a hard link with the file being reviewed.

569: The resource manager in the authorization manager tries to create the client context.

570: the client tries to access the object.

Note:

Each attempt on this object generates an event.

571: the client context is deleted by the authorization Manager application.

572: Administrator Manager initializes this application.

772: The Certificate Manager has rejected the pending certificate application.

773: The Certificate Service has received a resubmit certificate application.

774: The Certificate Service has revoked the certificate.

775: The Certificate Service has received a request to issue the Certificate Revocation List (CRL.

776: Certificate Service has issued CRL.

777: Certificate Application extensions have been developed.

778: Multiple Certificate Application attributes have been changed.

779: The Certificate Service has received a shutdown request.

780: Certificate Service backup has been started.

781: Certificate Service backup has been completed.

782: The certificate service has been restored.

783: The certificate service has been restored.

784: The Certificate Service has started.

785: The Certificate Service has stopped.

786: The security permissions of the Certificate Service have been changed.

787: The Certificate Service has retrieved the archived key.

788: The Certificate Service has imported the certificate into its database.

789: The certificate service has been reviewed and filtered.

790: The Certificate Service has received the certificate application.

791: The Certificate Service has approved the certificate application and issued a certificate.

792: The Certificate Service has rejected the certificate application.

793: The Certificate Service sets the Certificate Application Status to pending.

794: The Certificate Manager settings of the Certificate Service have been changed.

795: the configuration items in the Certificate Service have been changed.

796: The certificate service attributes have been changed.

797: The Certificate Service has archived the key.

798: import the Certificate Service Key and archive it.

799: Has the Certificate Authority (CA) certificate been issued to Microsoft Active Directory? Directory Service.

800: one or more rows have been deleted from the certificate database.

801: Role separation is enabled.

Vi. Audit Policy Change Events

The security events generated by "Audit Policy Change" security template settings are shown below.

608: user permissions have been assigned.

609: the user permission has been deleted.

610: the trust relationship with other domains has been created.

611: the trust relationship with other domains has been deleted.

612: The Audit Policy has been changed.

613: the Internet Protocol Security (IPSec) policy proxy has been started.

614: the IPSec Policy proxy is disabled.

615: the IPSec Policy proxy has been changed.

616: the IPSec Policy proxy encounters a serious fault.

617: the Kerberos v5 policy has been changed.

618