Microsoft-Windows-Security-Auditing

Similar Messages

• The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.

  Last night, some of our systems installed updates released on 11/13/2014.  
  KB3021674
  KB2901983
  KB3023266
  KB3014029
  KB3022777
  KB3020388
  KB890830
  Today, all of the servers running Windows Server 2008 R2 started logging the following error in the Security log over and over:
  Log Name:      Security
  Source:        Microsoft-Windows-Eventlog
  Date:          1/15/2015 11:12:39 AM
  Event ID:      1108
  Task Category: Event processing
  Level:         Error
  Keywords:      Audit Success
  User:          N/A
  Description:
  The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
  Servers running Windows Server 2008 that also installed the updates are not experiencing the problem.  It looks like one of the updates may have introduced this problem with Server 2008 R2.

  ...Did you for sure confirm that:
  https://technet.microsoft.com/library/security/MS15-001
  is the cause?
  I did.  I had a VM that was not experiencing the problem.  I took a snapshot and tested the patches one by one.  Installing only KB3023266 immediately caused the issue to occur (after reboot).  A similar process was used to confirm that
  installing KB2675611 resolved the problem.
  Note that I found the installation of KB2675611 is usually quick, but it took several hours hours to install on some of our systems.  We had installed this patch a few months ago on a couple of servers and it was always quick to install.  But,
  it seems like installing it on a symptomatic system can cause it to take a long time.

• Multiple security audit failures a second

  A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
  to login. 
  Keywords Date and Time Source Event ID Task Category
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
  Subject
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
  Subject :
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: < ommited from forum post >
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x24c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: SBS
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  Subject
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Success 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4904 Audit Policy Change
  "An attempt was made to register a security event source.
  Subject :
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Failure 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4625 Logon
  "An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xc000006d
  Sub Status:
  0xc0000064
  Process Information:
  Caller Process ID:
  0x24c
  Caller Process Name:
  C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name:
  SBS
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  Schannel
  Authentication Package:
  Kerberos
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  Jerry T

  Hi Jerry,
  Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
  related to share folders, printers, IIS and so on.
  Would you please let me confirm whether you had installed some third-party applications?
  Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
  Audit
  Failure - Event 4625
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Failed to run task \Microsoft\Windows\WS\License Validation. Error Code: 0x80041326

  Today I noticed this message in the event viewer:
  Event ID: 16387Severity: ErrorSource: Microsoft-Windows-Security-SPPLog: ApplicationMessage: Failed to run task \Microsoft\Windows\WS\License Validation. Error Code: 0x80041326
  Does this mean the free eval use version of Windows Server 2012 has expired?
  OS: Windows Server 2012 RC Build 8400
  Thanks

  Hello Darrell:
  Thank you for responding to my issue.  Here is the output you requested:
  Windows Script Host
  Software licensing service version: 6.2.8400.0
  Name: Windows(R), ServerDatacenter edition
  Description: Windows(R) Operating System, RETAIL channel
  Activation ID: c3dbac02-e65b-48bc-a61e-e14befbdd674
  Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
  Extended PID: 03612-01333-001-000805-00-1033-8400.0000-2382012
  Installation ID: 090195464127466880553502868392878303995792363977152161148874086
  Use License URL: https://activation.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
  Validation URL: https://validation.sls.microsoft.com/SLWGA/slwga.asmx
  Partial Product Key: 78KXV
  License Status: Licensed
  Evaluation End Date: 1/15/2013 3:59:59 PM
  Remaining Windows rearm count: 1000
  Trusted time: 9/15/2012 3:37:56 PM
  OK   
  Your request for info got me thinking about another oddity I've been working on this week - My firewall (NetGear SRX5308) shows dropped incoming packets from ip 65.55.121.94 with source port 443 and destination port 55338.  ARIN shows the ip belongs
  to MICROSOFT-1BLK, aka Microsoft.  Is it possible that my firewall is blocking communication to MS's licensing servers?

• I'm trying to download internet security and an error of microsoft windows applications are not supported on OS x keeps coming up

  I'm trying to download internet security and an error of microsoft windows applications are not supported on OS x keeps coming up

  That's because you must be trying to download a Windows application, and they do not run on a Mac unless you are running Windows on the Mac.
  Helpful Links Regarding Malware Protection
  An excellent link to read is Tom Reed's Mac Malware Guide.
  For adware removal see The Safe Mac » Adware Removal Guide and The Safe Mac » Adware Removal Tool.
  Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
  See these Apple articles:
    Mac OS X Snow Leopard and malware detection
    OS X Lion- Protect your Mac from malware
    OS X Mountain Lion- Protect your Mac from malware
    OS X Mavericks- Protect your Mac from malware
    About file quarantine in OS X
  If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)
  From user Joe Bailey comes this equally useful advice:
  The facts are:
  1. There is no anti-malware software that can detect 100% of the malware out there.
  2. There is no anti-malware that can detect anything targeting the Mac because there
       is no Mac malware in the wild, and therefore, no "signatures" to detect.
  3. The very best way to prevent the most attacks is for you as the user to be aware that
       the most successful malware attacks rely on very sophisticated social engineering
       techniques preying on human avarice, ****, and fear.
  4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on
      your computer is intended to entice you to install their malware thinking it is a
      protection against malware.
  5. Some of the anti-malware products on the market are worse than the malware
      from which they purport to protect you.
  6. Be cautious where you go on the internet.
  7. Only download anything from sites you know are safe.
  8. Avoid links you receive in email, always be suspicious even if you get something
      you think is from a friend, but you were not expecting.
  9. If there is any question in your mind, then assume it is malware.

• Windows 7 Security Audit Failure message 6281 & Security Kernel

  OS:  Windows 7 Home Premium Ver 6.1 Build 7601 SP 1
  Toshiba Satellite C655
  I received a Windows 7 Security pop-up saying there was a Kernel mismatch and asked if I wanted to proceed.  Not thinking - i hit yes.  Looking through the Security Audit Log - I found an audit failure with 6281 System Integrity Error.  I
  am assuming they are related.
  Any idea what have I done and what do I need to check/do to recover?
  Thanks

  Hi,
  Please upload us the full error messages here, we need more information to narrow down the cause. Then check into
  Event Viewer, see if any other errors logged.
  Besides, check to see if there are any devices have new drivers need to update.
  Mostly this error is caused by the "Realtek Audio HD driver", please check to see if we have any related devices.
  Reference:
  Windows 7 freeze after shutdown
  Best regards
  Michael Shao
  TechNet Community Support

• When I run a diagnostic on my network connection, Itunes says that a secure connection was not found giving the following message.  Microsoft Windows Vista Home Premium Edition Service Pack 2 (Build 6002) Hewlett-Packard HP Pavilion dv6700 Notebook PC iTu

  Microsoft Windows Vista Home Premium Edition Service Pack 2 (Build 6002)
  Hewlett-Packard HP Pavilion dv6700 Notebook PC
  iTunes 10.2.1.1
  QuickTime 7.6.9
  FairPlay 1.11.16
  Apple Application Support 1.5
  iPod Updater Library 10.0d2
  VoiceOver Kit 1.4 (222093/222742)
  CD Driver 2.2.0.1
  CD Driver DLL 2.1.1.1
  Apple Mobile Device 3.4.0.25
  Apple Mobile Device Driver 1.55.0.0
  Bonjour 2.0.4.0 (214.3)
  Gracenote SDK 1.8.2.457
  Gracenote MusicID 1.8.2.89
  Gracenote Submit 1.8.2.123
  Gracenote DSP 1.8.2.34
  iTunes Serial Number 0025AAF8089EC380
  Current user is not an administrator.
  The current local date and time is 2011-05-15 21:05:05.
  iTunes is not running in safe mode.
  WebKit accelerated compositing is enabled.
  HDCP is not supported.
  Core Media is supported.
  Video Display Information
  Intel Corporation, Mobile Intel(R) 965 Express Chipset Family
  Intel Corporation, Mobile Intel(R) 965 Express Chipset Family
  **** External Plug-ins Information ****
  No external plug-ins installed.
  Genius ID: dc0c6f739bfede483c8983f10e41784f
  iPodService 10.2.1.1 is currently running.
  iTunesHelper 10.2.1.1 is currently running.
  Apple Mobile Device service 3.3.0.0 is currently running.
  **** Network Connectivity Tests ****
  Network Adapter Information
  Adapter Name:    {588EB1BD-8374-43B1-B687-C47C33764298}
  Description:    Intel(R) Wireless WiFi Link 4965AGN
  IP Address:    192.168.1.2
  Subnet Mask:    255.255.255.0
  Default Gateway:    192.168.1.1
  DHCP Enabled:    Yes
  DHCP Server:    192.168.1.1
  Lease Obtained:    Sun May 15 20:23:07 2011
  Lease Expires:    Mon May 16 20:23:07 2011
  DNS Servers:    192.168.1.1
  Adapter Name:    {1C11AE53-28A5-4AC7-BA9F-CD4109D7856C}
  Description:    Realtek RTL8101E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
  IP Address:    0.0.0.0
  Subnet Mask:    0.0.0.0
  Default Gateway:    0.0.0.0
  DHCP Enabled:    Yes
  DHCP Server:   
  Lease Obtained:    Wed Dec 31 18:00:00 1969
  Lease Expires:    Wed Dec 31 18:00:00 1969
  DNS Servers:   
  Active Connection:    LAN Connection
  Connected:    Yes
  Online:        Yes
  Using Modem:    No
  Using LAN:    Yes
  Using Proxy:    No
  SSL 3.0 Support:    Enabled
  TLS 1.0 Support:    Enabled
  Firewall Information
  Windows Firewall is on.
  iTunes is NOT enabled in Windows Firewall.
  Connection attempt to Apple web site was unsuccessful.
  The network connection timed out.
  Basic connection to the store failed.
  The network connection timed out.
  Connection attempt to Gracenote server was successful.
  The network connection timed out.
  Last successful iTunes Store access was 2011-04-30 21:01:11.

  Windows Firewall is on.
  iTunes is NOT enabled in Windows Firewall.
  We'd better check on that, kris. If you enable iTunes in your Windows firewall, does that help with your connection? See the following document for instructions:
  How to enable iTunes in the Windows XP Firewall
  EDIT: Drat ... gave you the link to the wrong document. Try this one instead for your Vista:
  How to enable iTunes in the Windows Vista and Windows 7 Firewall
  Message was edited by: b noir

• Event ID 10016 - DCOM Error | Source - Microsoft-Windows-DistributedCOM | Level: Error

  Hi there... I am getting the above mentioned error with the
  Description: dows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Full message is -
  Log Name:      System
  Source:        Microsoft-Windows-DistributedCOM
  Date:          5/15/2012 1:18:44 PM
  Event ID:      10016
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          NT AUTHORITY\IUSR
  Computer:      Server.domain.com
  Description:
  The description for Event ID 10016 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on
  the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  application-specific
  Local
  Activation
  {2D527A8C-A4B6-4E74-A63F-E867360D401C}
  {B13EFBAE-7504-4938-9ED7-8E8B53E51221}
  NT AUTHORITY
  IUSR
  S-1-5-17
  LocalHost (Using LRPC)
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
      <EventID Qualifiers="49152">10016</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-05-15T19:18:44.000000000Z" />
      <EventRecordID>43121</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>Server.Domain.com</Computer>
      <Security UserID="S-1-5-17" />
    </System>
    <EventData>
      <Data Name="param1">application-specific</Data>
      <Data Name="param2">Local</Data>
      <Data Name="param3">Activation</Data>
      <Data Name="param4">{2D527A8C-A4B6-4E74-A63F-E867360D401C}</Data>
      <Data Name="param5">{B13EFBAE-7504-4938-9ED7-8E8B53E51221}</Data>
      <Data Name="param6">NT AUTHORITY</Data>
      <Data Name="param7">IUSR</Data>
      <Data Name="param8">S-1-5-17</Data>
      <Data Name="param9">LocalHost (Using LRPC)</Data>
    </EventData>
  </Event>
  Please let me know any solutions to fix....
  Steps, I did try from one of the blogs -
  Open Component Services. Got oStart --> Control Panel --> Administrative Tools --> Components Services. Expand the Component Services branch then expand Computers, My Computer and DCOM Config. Right-click on "sms agent host" (my case) and click
  Properties. Click on the Security tab and under “Launch and Activation Permissions” select "edit" and add user Local Service (Local lunch). Click OK, close the Component Services window.
  In the Launch Permission dialog box, make sure that the Everyone group has Remote Launch and Remote Activation permissions.
  In the Launch Permission dialog box, make sure that the SMS Reporting Users local group has following permissions:
  Local Launch / Remote Launch / Local Activation / Remote Activation
  Also added Remote Launch / Remote Activation permission for Network Service (for the SMS_Reporting_Point)
  Added Admin Group to the "ConfigMgr Remote Control Users"
  VT

  In addition, In the security policy the ‘Local Service’ need to be configured for the following Policies
  - Generate security audits
  - Create global objects
  - Replace a process level token
  - Adjust memory quotas for a process
  - Impersonate a client after authentication
  - Log on as a service
  - Bypass traverse checking
  Hope this helps.
  Regards,
  Yan Li
  hi,
  i m having similiar error but with another APPID 
  i did what u said in 1st part but i couldnt get what u mean in additional settings ? i couldnt do that. 
  Error details :
  Log Name:      System
  Source:        Microsoft-Windows-DistributedCOM
  Date:          7/2/2013 4:03:20 PM
  Event ID:      10016
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          LOCAL SERVICE
  Computer:      THINK
  Description:
  The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {7160A13D-73DA-4CEA-95B9-37356478588A}
   and APPID 
  {7160A13D-73DA-4CEA-95B9-37356478588A}
   to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
      <EventID Qualifiers="0">10016</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2013-02-07T14:03:20.356793400Z" />
      <EventRecordID>1465</EventRecordID>
      <Correlation />
      <Execution ProcessID="868" ThreadID="2832" />
      <Channel>System</Channel>
      <Computer>THINK</Computer>
      <Security UserID="S-1-5-19" />
    </System>
    <EventData>
      <Data Name="param1">machine-default</Data>
      <Data Name="param2">Local</Data>
      <Data Name="param3">Activation</Data>
      <Data Name="param4">{7160A13D-73DA-4CEA-95B9-37356478588A}</Data>
      <Data Name="param5">{7160A13D-73DA-4CEA-95B9-37356478588A}</Data>
      <Data Name="param6">NT AUTHORITY</Data>
      <Data Name="param7">LOCAL SERVICE</Data>
      <Data Name="param8">S-1-5-19</Data>
      <Data Name="param9">LocalHost (Using LRPC)</Data>
      <Data Name="param10">Unavailable</Data>
      <Data Name="param11">Unavailable</Data>
    </EventData>
  </Event>

• "Use my Microsoft Windows user ID and password" is grayed out

  Hello Experts,
  I've disabled "SOX Auditing" option in Server Manager in BPC 5.1 SP03, but "Use my Microsoft Windows user ID and password" is still grayed out. The only option I unlocked is saving password.
  How do I enable Windows Authentication in BPC?
  Thanks in advance,
  Akim

  Enabling/Disabling SOX Compliance does not take effect until the 2nd time you go through the Connection Wizard.
  Your problem could also be within Internet Explorer.
  Go to:
  1.  Internet Explorer>Tools>Internet Options>Security Tab
  2.  Click on Local Intranet zone>Custom Level
  3.  Scroll down to User Authentication>Logon.  Ensure that Automatic Logon with Current UN and PW is checked.
  4.  Do the same for the Internet zone.
  Try on multiple machines.
  Also on the client machine, look at the value for BASICAUTHENTICATION in:
  hkeycurrentuser>software>vb and vba program settings>outlooksoft 5>latest

• Check Windows security

  _Microsoft Baseline Security Advisor_ : http://technet.microsoft.com/en-us/security/cc184923.aspx
  Used by many leading third party security vendors and security auditors, MBSA on average scans over 3 million computers each week. Join the thousands of users that depend on MBSA for analyzing their security state.
  _Sample as run from Mac Pro Vista U._
  Noteable items:
  1) Run turned off my Ctl-Alt-Del logon requirement as set in
  Run->control userpasswords2
  2) Requires Server Service to be active
  3) Needs Computer Name entry at *error point: Workgroup\*error
  *Security assessment: Potential Risk*
  Computer name:
  IP address:
  Security report name: WORKGROUP -
  Scan date: 2009-01-08 08:48
  Scanned with MBSA version: 2.1.2104.0
  Catalog synchronization date:
  Security update catalog: Microsoft Update
  Security Updates Scan Results
  Issue: SQL Server Security Updates
  Score: Check passed
  Result: No security updates are missing.
  Current Update Compliance
  | MS06-061 | Installed | MSXML 6.0 RTM Security Update (925673) | Critical |
  Issue: Silverlight Security Updates
  Score: Check passed
  Result: No security updates are missing.
  Current Update Compliance
  | 957938 | Installed | Update for Microsoft Silverlight (KB957938) | |
  | 957938 | Installed | Update for Microsoft Silverlight (KB957938) | |
  Issue: Windows Security Updates
  Score: Check passed
  Result: No security updates are missing.
  Current Update Compliance
  | MS08-071 | Installed | Security Update for Windows Vista Service Pack 2 (KB956802) | Critical |
  | MS08-075 | Installed | Security Update for Windows Vista Service Pack 2 (KB958624) | Critical |
  | MS08-073 | Installed | Security Update for Internet Explorer 7 in Windows Vista Service Pack 2 (KB958215) | Critical |
  Operating System Scan Results
  Administrative Vulnerabilities
  Issue: Local Account Password Test
  Score: Check passed
  Result: Some user accounts (2 of 3) have blank or simple passwords, or could not be analyzed.
  Detail:
  | User | Weak Password | Locked Out | Disabled |
  | Administrator | Weak | - | Disabled |
  | Guest | Weak | - | Disabled |
  | xx | - | - | - |
  Issue: File System
  Score: Check passed
  Result: All hard drives (1) are using the NTFS file system.
  Detail:
  | Drive Letter | File System |
  | C: | NTFS |
  Issue: Password Expiration
  Score: Check failed (non-critical)
  Result: All user accounts (3) have non-expiring passwords.
  Detail:
  | User |
  | Administrator |
  | Guest |
  | xx |
  Issue: Guest Account
  Score: Check passed
  Result: The Guest account is disabled on this computer.
  Issue: Autologon
  Score: Check passed
  Result: Autologon is not configured on this computer.
  Issue: Restrict Anonymous
  Score: Check passed
  Result: Computer is properly restricting anonymous access.
  Issue: Administrators
  Score: Check passed
  Result: No more than 2 Administrators were found on this computer.
  Detail:
  | User |
  | Administrator |
  | xx |
  Issue: Windows Firewall
  Score: Check passed
  Result: Windows Firewall is managed through Group Policy on this computer. Windows Firewall is enabled on all network connections.
  Detail:
  | Connection Name | Firewall | Exceptions |
  | All Connections | On | - |
  | Local Area Connection 2 | On | - |
  | aGetOff | On | - |
  Issue: Automatic Updates
  Score: Check passed
  Result: Updates are automatically downloaded and installed on this computer.
  Issue: Incomplete Updates
  Score: Best practice
  Result: No incomplete software update installations were found.
  Additional System Information
  Issue: Windows Version
  Score: Best practice
  Result: Computer is running Microsoft Windows Vista.
  Issue: Auditing
  Score: Best practice
  Result: Logon Success and Logon Failure auditing are both enabled.
  Issue: Shares
  Score: Best practice
  Result: 2 share(s) are present on your computer.
  Detail:
  | Share | Directory | Share ACL | Directory ACL |
  | ADMIN$ | C:\Windows | Admin Share | NT SERVICE\TrustedInstaller - F, NT AUTHORITY\SYSTEM - RWXD, BUILTIN\Administrators - RWXD, BUILTIN\Users - RX |
  | C$ | C:\ | Admin Share | NT AUTHORITY\SYSTEM - F, BUILTIN\Administrators - F, BUILTIN\Users - RX |
  Issue: Services
  Score: Best practice
  Result: No potentially unnecessary services were found.
  Internet Information Services (IIS) Scan Results
  IIS is not running on this computer.
  SQL Server Scan Results
  SQL Server and/or MSDE is not installed on this computer.
  Desktop Application Scan Results
  Administrative Vulnerabilities
  Issue: IE Zones
  Score: Check passed
  Result: Internet Explorer zones have secure settings for all users.
  Issue: Macro Security
  Score: Check not performed
  Result: No supported Microsoft Office products are installed.

  Hi,
  Did you use the same account with the App creator(the account which deployed the app)? You can use the app creator to check whether it works.
  Could the other accounts access the apps? You can use the other accounts to check whether it works.
  To quickly and accurately find the issue, you can check the event log and ULS log to see if anything unexpected occurred.
  For SharePoint 2013, by default, ULS log is at
  C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• SAS 70 Security Audit Compliance

  Hi
  I have to propose a network which is in compliance with SAS 70 Audit.
  The network is very simple. Internet Link will terminate on my ASA 5505 and from there the wires will go into my 1200 APs.The network consists only of Laptops.I will be using 802.1X authentication and would use encryption.
  Also in ASA a IPSec VPN connection to my US office will terminate. Now this network as said would undergo security audit.
  So my problem is that I am clueless. Is ACS server required for SAS 70?or will the current setup is OK. IF anyone has done this then please help.
  Thanks in advance
  Regards
  JD
  PS : This topic has also been posted in wireless forum.

  Hi,
  Since you are planning to create users using script, it will be a better practice to audit the actions, such as When the User Created, Group Membership changes etc.
  Checkout the below steps to enable auditing for AD User Changes,
  1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
  2. Right click the Default Domain Controllers Policy, and then click Edit.
  3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/
  Local Policies/ Audit Policy”.
  4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
  5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
  For Windows Server 2008 R2 and later versions, additional configuration is required in  “Advanced Audit
  Policy Configuration” section in Default Domain Controller Policy.
  1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
  Audit Policy Configuration/Audit Policies/DS Access.) 
      Enable Success auditing for the following settings
       - Audit Directory Service Changes
  2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
  Audit Policy Configuration/Audit Policies/Account Management.) 
      Enable Success auditing for the following settings
      - Audit User Account Management
  After completing the audit settings, configure SACL in Active Directory Users and Computers console for
  enabling the geneartion of AD Change events in the eventlog as shown below,
  Checkout the below KB article on complete list on Event
  ID and Description for AD Changes,
  http://support.microsoft.com/kb/947226/en-us
  You can also use
  third party auditing solution for generating compliance reports. 
  Regards,
  Gopi
  JiJi Technologies

• Windows Security Events - List of Symbolic Names

  I'm looking for a list of all Security Event IDs including the Symbolic Names.
  Microsoft provides a list of the Security Audit Event IDs for each Windows Version though this list lacks the Symbolic Names
  E.g. http://www.microsoft.com/en-us/download/details.aspx?id=21561
  The individual writeups include the Symbolic Names
  http://technet.microsoft.com/en-us/library/cc733293%28v=ws.10%29.aspx
  Any advisement is appreciated.

  Thanks for your reply mike.
  But "Enum Registry Keys" will return subkeys not the values, I think you will suggest to use "Enum Registry values simple" instead of that. But there is a input terminal named "value info" to specify number of values in that key.
  So my question is how can i get the "value info" info programmatically.
  Warm Regards
  Samuel J

• Microsoft-Windows-Folder Redirection Error 502. CSC database locked by another user

  Dear all,
  We are finalizing our Windows 7 migration where we migrated 500+ clients. In our enterprise concept we implemented RUP (Roaming User Profiles) and Redirected Folders for all
  users. The Redirected Folders have been by enabled by a single GPO which redirects all folders from
  AppData to
  Searches \\servername.domain.name\documents$\%username%.
  Problem:
  The RUP and Redirected folders solution works fine until a new user wants to logon. This new user has been migrated to RUP and Redirected on another system and
  he just wants to work on another workplace or gets a temporary pc. What happens is that redirected folders do not work. The user gets a message that the folder is not reachable and desktop is empty.
  Troubleshooting:
  Soon I found out that something was being locked. If we used a user account which had working Redirect Folders than this
  worked for that user. An event of 10 was logged in OfflineFiles area of EventViewer to reconnect the path which was configured in the GPO.
  This is example screenshot. It says "Error on Open Folder. \\server.domain.name\documents$\%username%\Desktop refers to a location that is unavailable. It could be on a hard disk
  on this computer, or a on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."
  These symptoms happen randomly and not on all workstations. The pain here is when it happens on a portable computer. For desktop we disabled the "Disable Offline Files' in "Manage
  Offline Files" control panel and then reboot. After the reboot the folders are directed
  and it works without these errors... On portable computer we can't use this work around as they need to work offline.
  If I connect to the share without the FQDN like \\servername\documents$\%username%\Desktop than this works fine and user can access all folders. When I try the FQDN path which is
  configured in the GPO to redirect user to like \\servername.domain.name\documents$\%username%\Desktop than it fails with this message. I personally think because the C:\Windows\CSC database is locked by the previous user who has been logged on this system.
  An example of the event generated in the Applications Event viewer part (I removed some username and server path):
  Log Name:      Application
  Source:        Microsoft-Windows-Folder Redirection
  Date:          1-2-2011 17:40:11
  Event ID:      502
  Task Category: None
  Level:         Error
  Keywords:     
  User:          domain\ivan
  Computer:      computer.domain.name
  Description:
  Failed to apply policy and redirect folder "Videos" to "\\servername.domain.name\documents$\ivan\Documents\My Videos".
   Redirection options=0x1001.
   The following error occurred: "Can not create folder "\\\servername.domain.name\documents$\ivan\Documents\My Videos"".
   Error details: "Access is denied.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Folder Redirection" Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
      <EventID>502</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2011-02-01T16:40:11.486983400Z" />
      <EventRecordID>2754</EventRecordID>
      <Correlation ActivityID="{3211E6FB-2801-456D-BE6E-66AAE150A4DC}" />
      <Execution ProcessID="968" ThreadID="5856" />
      <Channel>Application</Channel>
      <Computer>computer.domain.name</Computer>
      <Security UserID="S-1-5-21-3705223304-2632712944-1292073641-26755" />
    </System>
    <EventData Name="EVENT_FDEPLOY_FailedToApplyPolicy">
      <Data Name="FromFolder">Videos</Data>
      <Data Name="ToFolder">\\servername.domain.name\documents$\ivan\Documents\My Videos</Data>
      <Data Name="Options">0x1001</Data>
      <Data Name="Error">Can not create folder "\\servername.domain.name\documents$\ivan\Documents\My Videos"</Data>
      <Data Name="ErrorDetails">Access is denied.
  </Data>
    </EventData>
  </Event> 
  Something like this I see in the Application Eventviewer:
  Environment:
  Windows 7 Enterprise client with patches until 1-Nov-2010
  Windows Server 2008 R2 for the Documents$ share
  Windows Server 2003 R2 as the domain controller
  I have tried all different option even to rebuild the CSC database but this also was not helping. I hope we are not dealing with a bug.
  Any help is much appreciated.
  Best regards, Ivan Versluis http://www.networknet.nl

  Ivan and SteveDIG - Thanks for taking the time to post detailed information about what you have found.  I have found the same things over the past few months and have been working with Microsoft to resolve this.  Like Ivan, I have been told by
  MS that this is a design problem in Windows 7, but they did admit it is a bug and did not charge me for the case.  That was the good news.  The bad news was that the problem is so 'deep' in Windows 7 that it will not be fixed until Windows 8 and
  the CSC engineering team in Redmond has rejected several requests to fix this issue in Windows 7 from several customers.  I personally feel we should have hauled our TAM in over this, but that wasn't my call so we haven't attempted to get an attitude
  change from MS.
  <RANT> I find this completely outrageous.  Windows is supposed to be a multi-user operating system suitable for deployment to mobile workforces spread around the world and often using slow VPN links.  Offline folders, folder redirection,
  slow link detection, etc. are all great on paper and as I did the design work for the W7 solution I've just built I sold these advantages heavily.  I now have serious egg on my face and am not happy.  Like others here I missed this in testing as
  multiple users are a fringe for us, but still important, I unfortunately didn't think to specifically test for multiple users, though I tested the features thoroughly and was happy with the results when used on single user machines.</RANT>
  As identified above, this issue manifests when more than one user uses a machine and their Offline folders (all redirected folders are configured this way by default) are in an offline state when the first user logs off.  The second user cannot access
  this 'offline' share so folder redirection fails.  We get burnt as we have latency=0 configured for slow link detection with Offline folders so users always work offline.  This is partly because of WAN optimisers in the network that lie to Windows
  so the online/offline transition doesn't work on slow links (not MS's fault), and partly because it made sense for other reasons.
  The workaround Microsoft and I came up with for our environment was to use individual file shares for each user.  We had been using a common file share with each user folder under that file share.  Changing to an individual share for each users
  means the share is not locked by the previous user.
  Examples
  This would cause a problem if John then Emma logged on to the same machine. Folder redirection would fail for Emma:
  \\FileServer1\Users$\john
  \\FileServer1\Users$\emma
  So would this if DFS was used
  \\my.domain\users\john            (points to \\FileServer1\Users$\John)
  \\my.domain\users\emma          (points to \\FileServer1\Users$\Emma)
  This would fix the problem:
  \\FileServer1\John$
  \\FileServer1\Emma$
  Unfortunately we then figured we could move these shares behind DFS like so:
  \\my.domain\homes\john             (points to \\FileServer1\John$)
  \\my.domain\homes\emma          (points to \\FileServer1\emma$)
  This was wrong.  The problem returned.  I assume the share that is being locked is now the DFS root and not the user share.
  The operations team here is very reluctant to go with direct access to the file servers and not use DFS as that will create issues for them in the future when they need to make file server changes.  I sympathise with them but can't see an alternative
  at the moment as we are deploying W7 and can't stop.  If I'd picked this up earlier a third party product might have been the solution (MS actually suggested this when I opened my case).
  I hope the information about individual shares above is helpful to someone.  Otherwise I don't really have more to add but I needed the rant :-)
  <RANT>BTW.  Has anyone tested changing a user’s home directory path once it is cached?  Try it. Test a scenario where you move the user from one file server to another.  You will not enjoy the results.  I'll say no more
  than this as it is off topic, but it shows the lack of investment in the CSC feature in Windows.  Very disappointing</RANT>

• Windows Security Prompt in Internet Explorer 10 on Sharepoint Foundation 2013 site

  Hi,
  I have Sharepoint Foundation 2013 and when I access the site from Internet Explorer 10 I get prompted for windows security, after enter my domain credential I am able to log into the site.  When I access the site from Internet Explorer 9 I don't
  receive the windows security prompt.  Below you will find screenshot.  How can I prevent Internet Explorer 10 and later to not prompt for domain credential?
  Thanks

  Add *.domain.com to the Intranet Zone in IE.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• For unknown reason, why would I be getting many new re-directs to Ads via FiuneDeaalSuoft which seem to come through Microsoft Windows webpages?

  A program from FiuneDeaalSuoft somehow appeared in my Firefox Add-0ns as of 2 days ago (08212014) according to Control Panel-Programs. I don't recognize it, but possibly I mistakenly clicked on an acceptance interface without realizing it. The ad re-directs which it caused were onerous and invasive. The re-directs first started appearing when I received a message advising me to update some other programs. I have a list of most of them. It seemed to start I went onto a Windows web page, for Windows Live Movie Maker,
  < http://windows.microsoft.com/en-us/windows-live/movie-maker-file-types-faq?wlexpid=FC1B09C67C184525852C59C15A0F465E >
  which had 3 block ads at the top from FiuneDeaalSuoft. The links for those three ads were:
  < Microsoft.iYogi.com > phone 855-558-2498,
  < Microsoft-Windows.iYogi.com > phone 855-558-2498, and
  < Microsoft-Support.pchelpdesk.co > with no phone showing in my screenshot of the ad but it is probably the same as given later herein, 855-677-5531.
  I removed the FiuneDeaalSuoft program from Add-ons, but I still seem to be getting some pop-ups and re-directs. Looking in Control Panel, I see that the program name is slightly different: FuineDealSOfti from FineDealSofT. This program was extremely aggressive and persistent. In Control Panel, I see other programs which I am also concerned about. IDT Audio from IDT has been on my computer a while, but I can't remember much about it. Pinger from Pinger, Inc. shows that it was installed in Dec. 2013 before I bought the computer. WidgetServ 1.0 from Softomate, LLC. is through Firefox. WinSpeed from 24soft installed in April 2014 is another program which I don't know much about. Can anyone offer further analysis and review or comment of any of these programs, please, with advice as to whether you have found them useful or problematic?
  The software from FiuneDeaalSuoft will be uninstalled from Control Panel since I am convinced that it is very invasive and a lot of trouble. An Install Manager from dwnllistsoft.com was part of the pathway. It wanted to re-direct to < http://uhi.inureknittingrectrix.com >, which had code sections referring to < plh.tractionize.com >; < WhiteLabelBidRequestHandlerServlet >; < www.srv2trking.com >; < LTSanitizer.aspx >; and < www.ascentive.com >.
  The original message seemed to be one which advised that "Video Update Recommended".
  Another had the Firefox logo and advised that "You are currently browsing the web with Firefox and your Video Player might be outdated". The webpage address was:
  < http://www.lpmxp2129.com /7655407A3F26415F243E342D4D472B54AE35515F1068A175E1CFD6181CD0B859E09383E5EAA7EDFE90932B3B86A7E9D8?tgu_src_lp_domain=
  www.dnwyoursoft.com&ClickID=426139843&PubID=1258 > (which could have a small editing error).
  A smaller front screen appeared as an overlay which said "Recommended" and then " You are currently browsing the web with Firefox and it is recommended that you update your video player to the fastest version available. Please update to continue."
  Some other urls which appeared were:
  < http://www.srv2trking.com/LTSanitizer.aspx?u=http%3a%2f%2fwww.ascentive.com%2frun%2fclick%2fSEC_CPA%2fgo%2fFFTV%3fc1%3d08_107761803_ed31ad73-fc16-40f5-9cad-cccc044ea1f4
  %26c2%3da-0-2464-2418-27346-0-223-0_177593 >;
  < https://interyield.jmp9.com/InterYield/optout.do >;
  < http://download1181bucket.com/go/windowsupdate?_alc=1&_cb=1&_ep=1&_sd=1&adprovider=advertisecom&source=advertisecom_driverupdater-us-dt-ron6&
  subid=66385-1017_1008_us&subid2=interyield+jmp9&servpixel=1408768365016_1408768324035_109_469_5987611_1 >
  which offered a Windows 8 update with a small front screen overlay message saying "WARNING! Please Install Update To Continue." while the main screen had a message that it was a "Windows 8 Update" with the admonition that "You are currently using - Windows 8 - which is now outdated... Please install the latest update to enhance your computer's security and performance." (part of the window screen capture was missing the full text, so I had to guess part of the message);
  (NOTE that the previous entry may have a disconnect between the url and actual screen, since i could not reproduce the result);
  < http://pmptrk.com/t/o/12/ > was another redirect;
  < http://updatingdriversnow.com/ujp1/?source=MG_EBT-RED&kw=ubid >
  another which offered a Java Update (13?) which had a front screen "Java Recommended" and "It is recommended to have Java in order to proceed.";
  checking on a contact link for the Video Update,
  < http://www.lpmxp2129.com/eQBQL8o9/videoupdater/contact.html >
  was the url;
  < http://pcupgradenow.com/su/en/4/a9551d18bc46aa01436d6fbb3caf46adc84f910f073379322921d15717c8caa4:1408769323/?a=anothervars&b=39500638&sid=ADV-sft-555&filename=Software_Update&uid=1408769323444_1408768975263_125_415_5966399_1 >
  appeared with a front screen overlay message saying "UPDATES RECOMMENDED! It is recommended that you install the software to ensure your browser is the latest version. Please update to continue.";
  the previous link had "Transferring data from static.getclicky.com" in the bottom left corner of the screen;
  another screen with url
  < http://pckeeperapp.zeobit.com/land/7.13/index.php?affid=mzb_196.8233409.1408767556.2.mzb&utm_source=ldmpcts&utm_medium=popunder&utm_campaign=pck_ldmpcts_15aug_ff&utm_term=&utm_content=&userDefiner=mzb_2380&installer=&trt=33_22526071&alert=301&tid_ext=antivirus >
  was very realistic (and for all I know is legitimate), showing a logo for PCKeeper, a front screen block titled "Important Message" with "Your PC Performance is Poor." and a "Fix Now" selector button;
  the main screen of the previous url had the overhead title of "How to Fix The Windows 8.1 error" which is somewhat peculiar since "The" is capitalized while "error" is not;
  also the previous screen had 1. a picture of an attractive smiling young man with a reference book titled "Microsoft Certified Technology Specialist", 2. several links for various PCKeeper options, and 3. at the bottom, block ads for AAA and alleged referrals from "The Wall Street Journal", "MAXIMUMPC", and "Business Wire" and 4. a warning that "You may be presented with an optional offer(s) during INSTALLATION" which was the link followed another link for "learn more";
  < http://pchelpdesk.co/cp/support-for-microsoft.php?affiliate=63783-86_777 >
  was a web page for pchelpdesk.co which gave a phone number of 855-677-5531 for "Instant Tech Support for Microsoft r-copyright Products by Expert Technician";
  < http://techieschoice.com/l2/support-for-microsoft.php >
  gave a phone number 855-677-9945 with another convincing webpage which even had several testimonials;
  < http://windows.microsoft.com/en-us/windows-live/movie-maker-file-types-faq?wlexpid=FC1B09C67C184525852C59C15A0F465E >
  was one of the original webpages from which this
  detour first began with a header of "What kind of files can I use in Movie Maker?";
  < http://aff2click.com/?a=939&c=8108&s1=14714782&s2=w.ascentive >
  which I do not have a screenshot for;
  < http://apps4u.pw/v14/?entry=&exit=&i=eyJ0IjoxNDA4NzcwOTQ1Mjk5MTU4MzA4LCJjIjoiNTM4ZWQzZGNiYjMyMTM2ZDE3YzI3ZWUwIiwidSI6IjA5MzQ4ZWM2
  IiwiZSI6MC4wMjEsIjEiOiJ2MTQtQ29udHJvbCJ9&url=gt.penga.info >
  had the header "Recommended Download!" followed by "You are currently browsing on Chrome 35" and "Please Install the RECOMMENDED SOFTWARE -< which was the link > to Confirm You are Using the Recommended Version." along with other embedded links, options and disclaimers;
  < http://landing.driverrestore.com/ldimp/02/en/?brand=Windows&subid=US|EN|windows*download >
  for which I have no screenshot;
  < http://lp.get-soft.com/mpc____________/?o=42&campid=14403&creaid=6104&reqid=571734621 >
  with no screenshot;
  < http://trk8.com/base.php?c=109&key=5555c230910ebedab5128d543147c7c6&keyword=.ascentive.co > with no screenshot; and
  < http://downloadjust4u.com/download/firefox3/ > with no screenshot.
  I may have missed a couple or so urls, especially the intermediate transition urls, since they tended to change very quickly. Any of my screenshots are freely available if they can offer any further value.
  Since you probably have too many emails and too few volunteers, I don't expect that anyone has time to send me a personal individual response, but a universal message or warning (if appropriate) to all users would be great. I am still uncertain if I am making this a bigger deal than it actually is.
  Thanks to everyone at Firefox. It has been my favorite browser for a few years now.
  James

  The ONLY support for Mozilla programs are web sites like this.
  The people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.
  If you want to leave feedback for Firefox developers, you can go to the Firefox ''Help'' menu and select ''Submit Feedback...'' or use [https://input.mozilla.org/feedback this link]. Your feedback gets collected at http://input.mozilla.org/, where a team of people read it and gather data about the most common issues.