Daily IT Matters, this is the place where I post my daily findings on IT.

Friday, July 25, 2008

Security Events You Can Safely Ignore

Well as a System Administrator you browse through literal 100.000 event logs every week.
Below you will find a list posted by Microsoft. This list tells you which events you can safely ignore.

This will make your life a bit easier.... (I hope)


You can find the original document here


Event IDs Occurrence Comments


User logoff

This event does not necessarily indicate the time that the user stopped using the computer. For example, if the user turns the computer off without first logging off, or if the network connection to a share breaks, the computer might not record a logoff at all, or might record a logoff only when the computer notices that the connection is broken.


User initiates logoff

Use Event 538, which confirms logoff instead.


A handle to an object closed

Always records a success.


Client Context deleted by Authorization Manager.

Normal where Authorization Manager is in use.


Process generates nonsystem audit event with Authorization Application Programming Interface (AuthZ API)

Typical behavior.



Privilege service called, privileged object operation

These high volume events typically do not contain enough information either to understand what happened or to act upon them.


A handle to an object was duplicated

Typical behavior.


Indirect access to an object was obtained

Typical behavior.


Backup of data protection master key

Occurs automatically every 90 days with default settings.


Recovery of data protection master key

Typical behavior.



Event 624 where User equals System, followed by 642 where Target Account Name equals IUSR_machinename or IWAM_machinename and Caller User Name equals machinename$ .

This event sequence indicates that an administrator has installed IIS on the computer.




User equals System and all three events have same time-stamp and New/Target Account Name equals HelpAssistant and Caller User Name equals DCname$

This sequence is generated when an administrator installs Active Directory on a computer that runs Windows Server 2003.

624 or


User equals ExchangeServername$ and Target Account Name is a Globally Unique Identifier (GUID)

This event occurs when an Exchange Server first comes online and automatically generates system mailboxes.


Caller User Name is any user and New Account Name is machinename$

A user in the domain has created or connected a new computer account in the domain. This event is acceptable if users have the right to join computers to a domain; otherwise you should investigate this event.


User equals System and Target Account Name equals TsInternetUser and Caller User Name is usually DCname$

These events result from the normal behavior of a computer that runs Terminal Services.


Kerberos AS Ticket request

If you collect logon events 528 and 540 from all computers, event 672 might not contain any additional useful information, as it just records that a Kerberos TGT was granted. There must still be a service ticket granted (event 673) for any access to occur.


Account Logon

If you collecting logon events 528 and 540 from all computers, event 680 might not contain any additional useful information, because it just records validation of the account credentials. A separate logon event records what the user accessed.


Password policy checking API called

Typical behavior.


Forest namespace collision

Not security related.




Trusted forest information added, deleted or modified

These events indicate normal operation of inter-forest trusts. You should not confuse these with addition, deletion, or modification of the trust itself.

832 to 841

Various Active Directory replication issues

No security implications.

Tuesday, July 08, 2008

TrueCrypt 6.0 !

TrueCrypt is changing fast it seems only yesterday when version 4 came out.
When they released version 5 earlier this year with the support for encrypted filesystems I didn't think they would release version 6 anytime soon.

But hey here it is and it should be pretty neat considering the following

Ability to create and run an encrypted hidden operating system whose existence is impossible to prove (provided that certain guidelines are followed).  For more information, see the section Hidden Operating System.   (Windows Vista/XP/2008/2003)
For security reasons, when a hidden operating system is running, TrueCrypt ensures that all local unencrypted filesystems and non-hidden TrueCrypt volumes are read-only. (Data is allowed to be written to filesystems within hidden TrueCrypt volumes.)
Note: We recommend that hidden volumes are mounted only when a hidden operating system is running. For more information, see the subsection Security Precautions Pertaining to Hidden Volumes.

You can download trueCrypt here