Microsoft-Windows-Security-Auditing
Hi,
I having issue to isolate and identify the repeat account audit fail issue on sharepoint server.
Any help on this is appreciated.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/4/2015 3:45:59 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SPT01
Description:
An account failed to log on.
Subject:
Security ID: A\admin
Account Name: admin
Account Domain: A
Logon ID: 0x176462
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin
Account Domain: a
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xed4
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: SPT01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Hi,
Based on the description of the fail issue, the account failed to log on the server and the fail reason was that Unknown user name or bad password.
From the sub state is 0xc000006a, the description of the sub state is that user name is correct but the password is wrong. I recommend you to check if the password is right.
You can also check the machine's PHS-AERO health by using:
NLTEST /SC_VERIFY:domain-name
And if the result is SUCCESS, you can also try NLTEST /SC_RESET:domain-name several times to see what happens. The SC_RESET command forces the machine to select a new DC to authenticate against and you should see a random switching between your DCs.
There is a similar case:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/audit-failure-event-id-4625?forum=winserversecurity
The article below is about Event ID 4625, you can take a look.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
Best regards,
Sara Fan
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]
Similar Messages
-
Last night, some of our systems installed updates released on 11/13/2014.
KB3021674
KB2901983
KB3023266
KB3014029
KB3022777
KB3020388
KB890830
Today, all of the servers running Windows Server 2008 R2 started logging the following error in the Security log over and over:
Log Name: Security
Source: Microsoft-Windows-Eventlog
Date: 1/15/2015 11:12:39 AM
Event ID: 1108
Task Category: Event processing
Level: Error
Keywords: Audit Success
User: N/A
Description:
The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
Servers running Windows Server 2008 that also installed the updates are not experiencing the problem. It looks like one of the updates may have introduced this problem with Server 2008 R2....Did you for sure confirm that:
https://technet.microsoft.com/library/security/MS15-001
is the cause?
I did. I had a VM that was not experiencing the problem. I took a snapshot and tested the patches one by one. Installing only KB3023266 immediately caused the issue to occur (after reboot). A similar process was used to confirm that
installing KB2675611 resolved the problem.
Note that I found the installation of KB2675611 is usually quick, but it took several hours hours to install on some of our systems. We had installed this patch a few months ago on a couple of servers and it was always quick to install. But,
it seems like installing it on a symptomatic system can cause it to take a long time. -
Multiple security audit failures a second
A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
to login.
Keywords Date and Time Source Event ID Task Category
Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
Subject
Security ID: SYSTEM
Account Name: SBS$
Account Domain: <ommited from forum post>
Logon ID: 0x3e7
Process:
Process ID: 0x10d4
Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
Event Source:
Source Name: ServiceModel 4.0.0.0
Event Source ID: 0x262070f0"
Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
Subject :
Security ID: SYSTEM
Account Name: SBS$
Account Domain: < ommited from forum post >
Logon ID: 0x3e7
Process:
Process ID: 0x10d4
Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
Event Source:
Source Name: ServiceModel 4.0.0.0
Event Source ID: 0x262070f0"
Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SBS$
Account Domain: <ommited from forum post>
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x24c
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: SBS
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Subject
Security ID:
SYSTEM
Account Name:
SBS$
Account Domain:
<ommited from forum post>
Logon ID:
0x3e7
Process:
Process ID:
0x131c
Process Name:
C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
Event Source:
Source Name:
ServiceModel 4.0.0.0
Event Source ID:
0x26206ef4"
Audit Success 6/18/2014 1:50:32 PM
Microsoft-Windows-Security-Auditing
4904 Audit Policy Change
"An attempt was made to register a security event source.
Subject :
Security ID:
SYSTEM
Account Name:
SBS$
Account Domain:
<ommited from forum post>
Logon ID:
0x3e7
Process:
Process ID:
0x131c
Process Name:
C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
Event Source:
Source Name:
ServiceModel 4.0.0.0
Event Source ID:
0x26206ef4"
Audit Failure 6/18/2014 1:50:32 PM
Microsoft-Windows-Security-Auditing
4625 Logon
"An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
SBS$
Account Domain:
<ommited from forum post>
Logon ID:
0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xc000006d
Sub Status:
0xc0000064
Process Information:
Caller Process ID:
0x24c
Caller Process Name:
C:\Windows\System32\lsass.exe
Network Information:
Workstation Name:
SBS
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
Schannel
Authentication Package:
Kerberos
Transited Services:
Package Name (NTLM only):
Key Length:
0
Jerry THi Jerry,
Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
related to share folders, printers, IIS and so on.
Would you please let me confirm whether you had installed some third-party applications?
Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
Audit
Failure - Event 4625
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
Today I noticed this message in the event viewer:
Event ID: 16387Severity: ErrorSource: Microsoft-Windows-Security-SPPLog: ApplicationMessage: Failed to run task \Microsoft\Windows\WS\License Validation. Error Code: 0x80041326
Does this mean the free eval use version of Windows Server 2012 has expired?
OS: Windows Server 2012 RC Build 8400
ThanksHello Darrell:
Thank you for responding to my issue. Here is the output you requested:
Windows Script Host
Software licensing service version: 6.2.8400.0
Name: Windows(R), ServerDatacenter edition
Description: Windows(R) Operating System, RETAIL channel
Activation ID: c3dbac02-e65b-48bc-a61e-e14befbdd674
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 03612-01333-001-000805-00-1033-8400.0000-2382012
Installation ID: 090195464127466880553502868392878303995792363977152161148874086
Use License URL: https://activation.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
Validation URL: https://validation.sls.microsoft.com/SLWGA/slwga.asmx
Partial Product Key: 78KXV
License Status: Licensed
Evaluation End Date: 1/15/2013 3:59:59 PM
Remaining Windows rearm count: 1000
Trusted time: 9/15/2012 3:37:56 PM
OK
Your request for info got me thinking about another oddity I've been working on this week - My firewall (NetGear SRX5308) shows dropped incoming packets from ip 65.55.121.94 with source port 443 and destination port 55338. ARIN shows the ip belongs
to MICROSOFT-1BLK, aka Microsoft. Is it possible that my firewall is blocking communication to MS's licensing servers? -
I'm trying to download internet security and an error of microsoft windows applications are not supported on OS x keeps coming up
That's because you must be trying to download a Windows application, and they do not run on a Mac unless you are running Windows on the Mac.
Helpful Links Regarding Malware Protection
An excellent link to read is Tom Reed's Mac Malware Guide.
For adware removal see The Safe Mac » Adware Removal Guide and The Safe Mac » Adware Removal Tool.
Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
See these Apple articles:
Mac OS X Snow Leopard and malware detection
OS X Lion- Protect your Mac from malware
OS X Mountain Lion- Protect your Mac from malware
OS X Mavericks- Protect your Mac from malware
About file quarantine in OS X
If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)
From user Joe Bailey comes this equally useful advice:
The facts are:
1. There is no anti-malware software that can detect 100% of the malware out there.
2. There is no anti-malware that can detect anything targeting the Mac because there
is no Mac malware in the wild, and therefore, no "signatures" to detect.
3. The very best way to prevent the most attacks is for you as the user to be aware that
the most successful malware attacks rely on very sophisticated social engineering
techniques preying on human avarice, ****, and fear.
4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on
your computer is intended to entice you to install their malware thinking it is a
protection against malware.
5. Some of the anti-malware products on the market are worse than the malware
from which they purport to protect you.
6. Be cautious where you go on the internet.
7. Only download anything from sites you know are safe.
8. Avoid links you receive in email, always be suspicious even if you get something
you think is from a friend, but you were not expecting.
9. If there is any question in your mind, then assume it is malware. -
Windows 7 Security Audit Failure message 6281 & Security Kernel
OS: Windows 7 Home Premium Ver 6.1 Build 7601 SP 1
Toshiba Satellite C655
I received a Windows 7 Security pop-up saying there was a Kernel mismatch and asked if I wanted to proceed. Not thinking - i hit yes. Looking through the Security Audit Log - I found an audit failure with 6281 System Integrity Error. I
am assuming they are related.
Any idea what have I done and what do I need to check/do to recover?
ThanksHi,
Please upload us the full error messages here, we need more information to narrow down the cause. Then check into
Event Viewer, see if any other errors logged.
Besides, check to see if there are any devices have new drivers need to update.
Mostly this error is caused by the "Realtek Audio HD driver", please check to see if we have any related devices.
Reference:
Windows 7 freeze after shutdown
Best regards
Michael Shao
TechNet Community Support -
Microsoft Windows Vista Home Premium Edition Service Pack 2 (Build 6002)
Hewlett-Packard HP Pavilion dv6700 Notebook PC
iTunes 10.2.1.1
QuickTime 7.6.9
FairPlay 1.11.16
Apple Application Support 1.5
iPod Updater Library 10.0d2
VoiceOver Kit 1.4 (222093/222742)
CD Driver 2.2.0.1
CD Driver DLL 2.1.1.1
Apple Mobile Device 3.4.0.25
Apple Mobile Device Driver 1.55.0.0
Bonjour 2.0.4.0 (214.3)
Gracenote SDK 1.8.2.457
Gracenote MusicID 1.8.2.89
Gracenote Submit 1.8.2.123
Gracenote DSP 1.8.2.34
iTunes Serial Number 0025AAF8089EC380
Current user is not an administrator.
The current local date and time is 2011-05-15 21:05:05.
iTunes is not running in safe mode.
WebKit accelerated compositing is enabled.
HDCP is not supported.
Core Media is supported.
Video Display Information
Intel Corporation, Mobile Intel(R) 965 Express Chipset Family
Intel Corporation, Mobile Intel(R) 965 Express Chipset Family
**** External Plug-ins Information ****
No external plug-ins installed.
Genius ID: dc0c6f739bfede483c8983f10e41784f
iPodService 10.2.1.1 is currently running.
iTunesHelper 10.2.1.1 is currently running.
Apple Mobile Device service 3.3.0.0 is currently running.
**** Network Connectivity Tests ****
Network Adapter Information
Adapter Name: {588EB1BD-8374-43B1-B687-C47C33764298}
Description: Intel(R) Wireless WiFi Link 4965AGN
IP Address: 192.168.1.2
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
Lease Obtained: Sun May 15 20:23:07 2011
Lease Expires: Mon May 16 20:23:07 2011
DNS Servers: 192.168.1.1
Adapter Name: {1C11AE53-28A5-4AC7-BA9F-CD4109D7856C}
Description: Realtek RTL8101E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
IP Address: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway: 0.0.0.0
DHCP Enabled: Yes
DHCP Server:
Lease Obtained: Wed Dec 31 18:00:00 1969
Lease Expires: Wed Dec 31 18:00:00 1969
DNS Servers:
Active Connection: LAN Connection
Connected: Yes
Online: Yes
Using Modem: No
Using LAN: Yes
Using Proxy: No
SSL 3.0 Support: Enabled
TLS 1.0 Support: Enabled
Firewall Information
Windows Firewall is on.
iTunes is NOT enabled in Windows Firewall.
Connection attempt to Apple web site was unsuccessful.
The network connection timed out.
Basic connection to the store failed.
The network connection timed out.
Connection attempt to Gracenote server was successful.
The network connection timed out.
Last successful iTunes Store access was 2011-04-30 21:01:11.Windows Firewall is on.
iTunes is NOT enabled in Windows Firewall.
We'd better check on that, kris. If you enable iTunes in your Windows firewall, does that help with your connection? See the following document for instructions:
How to enable iTunes in the Windows XP Firewall
EDIT: Drat ... gave you the link to the wrong document. Try this one instead for your Vista:
How to enable iTunes in the Windows Vista and Windows 7 Firewall
Message was edited by: b noir -
Hi there... I am getting the above mentioned error with the
Description: dows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
Full message is -
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 5/15/2012 1:18:44 PM
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
User: NT AUTHORITY\IUSR
Computer: Server.domain.com
Description:
The description for Event ID 10016 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on
the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
application-specific
Local
Activation
{2D527A8C-A4B6-4E74-A63F-E867360D401C}
{B13EFBAE-7504-4938-9ED7-8E8B53E51221}
NT AUTHORITY
IUSR
S-1-5-17
LocalHost (Using LRPC)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10016</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-05-15T19:18:44.000000000Z" />
<EventRecordID>43121</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Server.Domain.com</Computer>
<Security UserID="S-1-5-17" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Activation</Data>
<Data Name="param4">{2D527A8C-A4B6-4E74-A63F-E867360D401C}</Data>
<Data Name="param5">{B13EFBAE-7504-4938-9ED7-8E8B53E51221}</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">IUSR</Data>
<Data Name="param8">S-1-5-17</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
</EventData>
</Event>
Please let me know any solutions to fix....
Steps, I did try from one of the blogs -
Open Component Services. Got oStart --> Control Panel --> Administrative Tools --> Components Services. Expand the Component Services branch then expand Computers, My Computer and DCOM Config. Right-click on "sms agent host" (my case) and click
Properties. Click on the Security tab and under “Launch and Activation Permissions” select "edit" and add user Local Service (Local lunch). Click OK, close the Component Services window.
In the Launch Permission dialog box, make sure that the Everyone group has Remote Launch and Remote Activation permissions.
In the Launch Permission dialog box, make sure that the SMS Reporting Users local group has following permissions:
Local Launch / Remote Launch / Local Activation / Remote Activation
Also added Remote Launch / Remote Activation permission for Network Service (for the SMS_Reporting_Point)
Added Admin Group to the "ConfigMgr Remote Control Users"
VTIn addition, In the security policy the ‘Local Service’ need to be configured for the following Policies
- Generate security audits
- Create global objects
- Replace a process level token
- Adjust memory quotas for a process
- Impersonate a client after authentication
- Log on as a service
- Bypass traverse checking
Hope this helps.
Regards,
Yan Li
hi,
i m having similiar error but with another APPID
i did what u said in 1st part but i couldnt get what u mean in additional settings ? i couldnt do that.
Error details :
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 7/2/2013 4:03:20 PM
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
User: LOCAL SERVICE
Computer: THINK
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{7160A13D-73DA-4CEA-95B9-37356478588A}
and APPID
{7160A13D-73DA-4CEA-95B9-37356478588A}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2013-02-07T14:03:20.356793400Z" />
<EventRecordID>1465</EventRecordID>
<Correlation />
<Execution ProcessID="868" ThreadID="2832" />
<Channel>System</Channel>
<Computer>THINK</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="param1">machine-default</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Activation</Data>
<Data Name="param4">{7160A13D-73DA-4CEA-95B9-37356478588A}</Data>
<Data Name="param5">{7160A13D-73DA-4CEA-95B9-37356478588A}</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">LOCAL SERVICE</Data>
<Data Name="param8">S-1-5-19</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event> -
"Use my Microsoft Windows user ID and password" is grayed out
Hello Experts,
I've disabled "SOX Auditing" option in Server Manager in BPC 5.1 SP03, but "Use my Microsoft Windows user ID and password" is still grayed out. The only option I unlocked is saving password.
How do I enable Windows Authentication in BPC?
Thanks in advance,
AkimEnabling/Disabling SOX Compliance does not take effect until the 2nd time you go through the Connection Wizard.
Your problem could also be within Internet Explorer.
Go to:
1. Internet Explorer>Tools>Internet Options>Security Tab
2. Click on Local Intranet zone>Custom Level
3. Scroll down to User Authentication>Logon. Ensure that Automatic Logon with Current UN and PW is checked.
4. Do the same for the Internet zone.
Try on multiple machines.
Also on the client machine, look at the value for BASICAUTHENTICATION in:
hkeycurrentuser>software>vb and vba program settings>outlooksoft 5>latest -
_Microsoft Baseline Security Advisor_ : http://technet.microsoft.com/en-us/security/cc184923.aspx
Used by many leading third party security vendors and security auditors, MBSA on average scans over 3 million computers each week. Join the thousands of users that depend on MBSA for analyzing their security state.
_Sample as run from Mac Pro Vista U._
Noteable items:
1) Run turned off my Ctl-Alt-Del logon requirement as set in
Run->control userpasswords2
2) Requires Server Service to be active
3) Needs Computer Name entry at *error point: Workgroup\*error
*Security assessment: Potential Risk*
Computer name:
IP address:
Security report name: WORKGROUP -
Scan date: 2009-01-08 08:48
Scanned with MBSA version: 2.1.2104.0
Catalog synchronization date:
Security update catalog: Microsoft Update
Security Updates Scan Results
Issue: SQL Server Security Updates
Score: Check passed
Result: No security updates are missing.
Current Update Compliance
| MS06-061 | Installed | MSXML 6.0 RTM Security Update (925673) | Critical |
Issue: Silverlight Security Updates
Score: Check passed
Result: No security updates are missing.
Current Update Compliance
| 957938 | Installed | Update for Microsoft Silverlight (KB957938) | |
| 957938 | Installed | Update for Microsoft Silverlight (KB957938) | |
Issue: Windows Security Updates
Score: Check passed
Result: No security updates are missing.
Current Update Compliance
| MS08-071 | Installed | Security Update for Windows Vista Service Pack 2 (KB956802) | Critical |
| MS08-075 | Installed | Security Update for Windows Vista Service Pack 2 (KB958624) | Critical |
| MS08-073 | Installed | Security Update for Internet Explorer 7 in Windows Vista Service Pack 2 (KB958215) | Critical |
Operating System Scan Results
Administrative Vulnerabilities
Issue: Local Account Password Test
Score: Check passed
Result: Some user accounts (2 of 3) have blank or simple passwords, or could not be analyzed.
Detail:
| User | Weak Password | Locked Out | Disabled |
| Administrator | Weak | - | Disabled |
| Guest | Weak | - | Disabled |
| xx | - | - | - |
Issue: File System
Score: Check passed
Result: All hard drives (1) are using the NTFS file system.
Detail:
| Drive Letter | File System |
| C: | NTFS |
Issue: Password Expiration
Score: Check failed (non-critical)
Result: All user accounts (3) have non-expiring passwords.
Detail:
| User |
| Administrator |
| Guest |
| xx |
Issue: Guest Account
Score: Check passed
Result: The Guest account is disabled on this computer.
Issue: Autologon
Score: Check passed
Result: Autologon is not configured on this computer.
Issue: Restrict Anonymous
Score: Check passed
Result: Computer is properly restricting anonymous access.
Issue: Administrators
Score: Check passed
Result: No more than 2 Administrators were found on this computer.
Detail:
| User |
| Administrator |
| xx |
Issue: Windows Firewall
Score: Check passed
Result: Windows Firewall is managed through Group Policy on this computer. Windows Firewall is enabled on all network connections.
Detail:
| Connection Name | Firewall | Exceptions |
| All Connections | On | - |
| Local Area Connection 2 | On | - |
| aGetOff | On | - |
Issue: Automatic Updates
Score: Check passed
Result: Updates are automatically downloaded and installed on this computer.
Issue: Incomplete Updates
Score: Best practice
Result: No incomplete software update installations were found.
Additional System Information
Issue: Windows Version
Score: Best practice
Result: Computer is running Microsoft Windows Vista.
Issue: Auditing
Score: Best practice
Result: Logon Success and Logon Failure auditing are both enabled.
Issue: Shares
Score: Best practice
Result: 2 share(s) are present on your computer.
Detail:
| Share | Directory | Share ACL | Directory ACL |
| ADMIN$ | C:\Windows | Admin Share | NT SERVICE\TrustedInstaller - F, NT AUTHORITY\SYSTEM - RWXD, BUILTIN\Administrators - RWXD, BUILTIN\Users - RX |
| C$ | C:\ | Admin Share | NT AUTHORITY\SYSTEM - F, BUILTIN\Administrators - F, BUILTIN\Users - RX |
Issue: Services
Score: Best practice
Result: No potentially unnecessary services were found.
Internet Information Services (IIS) Scan Results
IIS is not running on this computer.
SQL Server Scan Results
SQL Server and/or MSDE is not installed on this computer.
Desktop Application Scan Results
Administrative Vulnerabilities
Issue: IE Zones
Score: Check passed
Result: Internet Explorer zones have secure settings for all users.
Issue: Macro Security
Score: Check not performed
Result: No supported Microsoft Office products are installed.Hi,
Did you use the same account with the App creator(the account which deployed the app)? You can use the app creator to check whether it works.
Could the other accounts access the apps? You can use the other accounts to check whether it works.
To quickly and accurately find the issue, you can check the event log and ULS log to see if anything unexpected occurred.
For SharePoint 2013, by default, ULS log is at
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support -
SAS 70 Security Audit Compliance
Hi
I have to propose a network which is in compliance with SAS 70 Audit.
The network is very simple. Internet Link will terminate on my ASA 5505 and from there the wires will go into my 1200 APs.The network consists only of Laptops.I will be using 802.1X authentication and would use encryption.
Also in ASA a IPSec VPN connection to my US office will terminate. Now this network as said would undergo security audit.
So my problem is that I am clueless. Is ACS server required for SAS 70?or will the current setup is OK. IF anyone has done this then please help.
Thanks in advance
Regards
JD
PS : This topic has also been posted in wireless forum.Hi,
Since you are planning to create users using script, it will be a better practice to audit the actions, such as When the User Created, Group Membership changes etc.
Checkout the below steps to enable auditing for AD User Changes,
1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
2. Right click the Default Domain Controllers Policy, and then click Edit.
3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/
Local Policies/ Audit Policy”.
4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
For Windows Server 2008 R2 and later versions, additional configuration is required in “Advanced Audit
Policy Configuration” section in Default Domain Controller Policy.
1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
Audit Policy Configuration/Audit Policies/DS Access.)
Enable Success auditing for the following settings
- Audit Directory Service Changes
2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
Audit Policy Configuration/Audit Policies/Account Management.)
Enable Success auditing for the following settings
- Audit User Account Management
After completing the audit settings, configure SACL in Active Directory Users and Computers console for
enabling the geneartion of AD Change events in the eventlog as shown below,
Checkout the below KB article on complete list on Event
ID and Description for AD Changes,
http://support.microsoft.com/kb/947226/en-us
You can also use
third party auditing solution for generating compliance reports.
Regards,
Gopi
JiJi Technologies -
Windows Security Events - List of Symbolic Names
I'm looking for a list of all Security Event IDs including the Symbolic Names.
Microsoft provides a list of the Security Audit Event IDs for each Windows Version though this list lacks the Symbolic Names
E.g. http://www.microsoft.com/en-us/download/details.aspx?id=21561
The individual writeups include the Symbolic Names
http://technet.microsoft.com/en-us/library/cc733293%28v=ws.10%29.aspx
Any advisement is appreciated.Thanks for your reply mike.
But "Enum Registry Keys" will return subkeys not the values, I think you will suggest to use "Enum Registry values simple" instead of that. But there is a input terminal named "value info" to specify number of values in that key.
So my question is how can i get the "value info" info programmatically.
Warm Regards
Samuel J -
Microsoft-Windows-Folder Redirection Error 502. CSC database locked by another user
Dear all,
We are finalizing our Windows 7 migration where we migrated 500+ clients. In our enterprise concept we implemented RUP (Roaming User Profiles) and Redirected Folders for all
users. The Redirected Folders have been by enabled by a single GPO which redirects all folders from
AppData to
Searches \\servername.domain.name\documents$\%username%.
Problem:
The RUP and Redirected folders solution works fine until a new user wants to logon. This new user has been migrated to RUP and Redirected on another system and
he just wants to work on another workplace or gets a temporary pc. What happens is that redirected folders do not work. The user gets a message that the folder is not reachable and desktop is empty.
Troubleshooting:
Soon I found out that something was being locked. If we used a user account which had working Redirect Folders than this
worked for that user. An event of 10 was logged in OfflineFiles area of EventViewer to reconnect the path which was configured in the GPO.
This is example screenshot. It says "Error on Open Folder. \\server.domain.name\documents$\%username%\Desktop refers to a location that is unavailable. It could be on a hard disk
on this computer, or a on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."
These symptoms happen randomly and not on all workstations. The pain here is when it happens on a portable computer. For desktop we disabled the "Disable Offline Files' in "Manage
Offline Files" control panel and then reboot. After the reboot the folders are directed
and it works without these errors... On portable computer we can't use this work around as they need to work offline.
If I connect to the share without the FQDN like \\servername\documents$\%username%\Desktop than this works fine and user can access all folders. When I try the FQDN path which is
configured in the GPO to redirect user to like \\servername.domain.name\documents$\%username%\Desktop than it fails with this message. I personally think because the C:\Windows\CSC database is locked by the previous user who has been logged on this system.
An example of the event generated in the Applications Event viewer part (I removed some username and server path):
Log Name: Application
Source: Microsoft-Windows-Folder Redirection
Date: 1-2-2011 17:40:11
Event ID: 502
Task Category: None
Level: Error
Keywords:
User: domain\ivan
Computer: computer.domain.name
Description:
Failed to apply policy and redirect folder "Videos" to "\\servername.domain.name\documents$\ivan\Documents\My Videos".
Redirection options=0x1001.
The following error occurred: "Can not create folder "\\\servername.domain.name\documents$\ivan\Documents\My Videos"".
Error details: "Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Folder Redirection" Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
<EventID>502</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2011-02-01T16:40:11.486983400Z" />
<EventRecordID>2754</EventRecordID>
<Correlation ActivityID="{3211E6FB-2801-456D-BE6E-66AAE150A4DC}" />
<Execution ProcessID="968" ThreadID="5856" />
<Channel>Application</Channel>
<Computer>computer.domain.name</Computer>
<Security UserID="S-1-5-21-3705223304-2632712944-1292073641-26755" />
</System>
<EventData Name="EVENT_FDEPLOY_FailedToApplyPolicy">
<Data Name="FromFolder">Videos</Data>
<Data Name="ToFolder">\\servername.domain.name\documents$\ivan\Documents\My Videos</Data>
<Data Name="Options">0x1001</Data>
<Data Name="Error">Can not create folder "\\servername.domain.name\documents$\ivan\Documents\My Videos"</Data>
<Data Name="ErrorDetails">Access is denied.
</Data>
</EventData>
</Event>
Something like this I see in the Application Eventviewer:
Environment:
Windows 7 Enterprise client with patches until 1-Nov-2010
Windows Server 2008 R2 for the Documents$ share
Windows Server 2003 R2 as the domain controller
I have tried all different option even to rebuild the CSC database but this also was not helping. I hope we are not dealing with a bug.
Any help is much appreciated.
Best regards, Ivan Versluis http://www.networknet.nlIvan and SteveDIG - Thanks for taking the time to post detailed information about what you have found. I have found the same things over the past few months and have been working with Microsoft to resolve this. Like Ivan, I have been told by
MS that this is a design problem in Windows 7, but they did admit it is a bug and did not charge me for the case. That was the good news. The bad news was that the problem is so 'deep' in Windows 7 that it will not be fixed until Windows 8 and
the CSC engineering team in Redmond has rejected several requests to fix this issue in Windows 7 from several customers. I personally feel we should have hauled our TAM in over this, but that wasn't my call so we haven't attempted to get an attitude
change from MS.
<RANT> I find this completely outrageous. Windows is supposed to be a multi-user operating system suitable for deployment to mobile workforces spread around the world and often using slow VPN links. Offline folders, folder redirection,
slow link detection, etc. are all great on paper and as I did the design work for the W7 solution I've just built I sold these advantages heavily. I now have serious egg on my face and am not happy. Like others here I missed this in testing as
multiple users are a fringe for us, but still important, I unfortunately didn't think to specifically test for multiple users, though I tested the features thoroughly and was happy with the results when used on single user machines.</RANT>
As identified above, this issue manifests when more than one user uses a machine and their Offline folders (all redirected folders are configured this way by default) are in an offline state when the first user logs off. The second user cannot access
this 'offline' share so folder redirection fails. We get burnt as we have latency=0 configured for slow link detection with Offline folders so users always work offline. This is partly because of WAN optimisers in the network that lie to Windows
so the online/offline transition doesn't work on slow links (not MS's fault), and partly because it made sense for other reasons.
The workaround Microsoft and I came up with for our environment was to use individual file shares for each user. We had been using a common file share with each user folder under that file share. Changing to an individual share for each users
means the share is not locked by the previous user.
Examples
This would cause a problem if John then Emma logged on to the same machine. Folder redirection would fail for Emma:
\\FileServer1\Users$\john
\\FileServer1\Users$\emma
So would this if DFS was used
\\my.domain\users\john (points to \\FileServer1\Users$\John)
\\my.domain\users\emma (points to \\FileServer1\Users$\Emma)
This would fix the problem:
\\FileServer1\John$
\\FileServer1\Emma$
Unfortunately we then figured we could move these shares behind DFS like so:
\\my.domain\homes\john (points to \\FileServer1\John$)
\\my.domain\homes\emma (points to \\FileServer1\emma$)
This was wrong. The problem returned. I assume the share that is being locked is now the DFS root and not the user share.
The operations team here is very reluctant to go with direct access to the file servers and not use DFS as that will create issues for them in the future when they need to make file server changes. I sympathise with them but can't see an alternative
at the moment as we are deploying W7 and can't stop. If I'd picked this up earlier a third party product might have been the solution (MS actually suggested this when I opened my case).
I hope the information about individual shares above is helpful to someone. Otherwise I don't really have more to add but I needed the rant :-)
<RANT>BTW. Has anyone tested changing a user’s home directory path once it is cached? Try it. Test a scenario where you move the user from one file server to another. You will not enjoy the results. I'll say no more
than this as it is off topic, but it shows the lack of investment in the CSC feature in Windows. Very disappointing</RANT> -
Windows Security Prompt in Internet Explorer 10 on Sharepoint Foundation 2013 site
Hi,
I have Sharepoint Foundation 2013 and when I access the site from Internet Explorer 10 I get prompted for windows security, after enter my domain credential I am able to log into the site. When I access the site from Internet Explorer 9 I don't
receive the windows security prompt. Below you will find screenshot. How can I prevent Internet Explorer 10 and later to not prompt for domain credential?
ThanksAdd *.domain.com to the Intranet Zone in IE.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
A program from FiuneDeaalSuoft somehow appeared in my Firefox Add-0ns as of 2 days ago (08212014) according to Control Panel-Programs. I don't recognize it, but possibly I mistakenly clicked on an acceptance interface without realizing it. The ad re-directs which it caused were onerous and invasive. The re-directs first started appearing when I received a message advising me to update some other programs. I have a list of most of them. It seemed to start I went onto a Windows web page, for Windows Live Movie Maker,
< http://windows.microsoft.com/en-us/windows-live/movie-maker-file-types-faq?wlexpid=FC1B09C67C184525852C59C15A0F465E >
which had 3 block ads at the top from FiuneDeaalSuoft. The links for those three ads were:
< Microsoft.iYogi.com > phone 855-558-2498,
< Microsoft-Windows.iYogi.com > phone 855-558-2498, and
< Microsoft-Support.pchelpdesk.co > with no phone showing in my screenshot of the ad but it is probably the same as given later herein, 855-677-5531.
I removed the FiuneDeaalSuoft program from Add-ons, but I still seem to be getting some pop-ups and re-directs. Looking in Control Panel, I see that the program name is slightly different: FuineDealSOfti from FineDealSofT. This program was extremely aggressive and persistent. In Control Panel, I see other programs which I am also concerned about. IDT Audio from IDT has been on my computer a while, but I can't remember much about it. Pinger from Pinger, Inc. shows that it was installed in Dec. 2013 before I bought the computer. WidgetServ 1.0 from Softomate, LLC. is through Firefox. WinSpeed from 24soft installed in April 2014 is another program which I don't know much about. Can anyone offer further analysis and review or comment of any of these programs, please, with advice as to whether you have found them useful or problematic?
The software from FiuneDeaalSuoft will be uninstalled from Control Panel since I am convinced that it is very invasive and a lot of trouble. An Install Manager from dwnllistsoft.com was part of the pathway. It wanted to re-direct to < http://uhi.inureknittingrectrix.com >, which had code sections referring to < plh.tractionize.com >; < WhiteLabelBidRequestHandlerServlet >; < www.srv2trking.com >; < LTSanitizer.aspx >; and < www.ascentive.com >.
The original message seemed to be one which advised that "Video Update Recommended".
Another had the Firefox logo and advised that "You are currently browsing the web with Firefox and your Video Player might be outdated". The webpage address was:
< http://www.lpmxp2129.com /7655407A3F26415F243E342D4D472B54AE35515F1068A175E1CFD6181CD0B859E09383E5EAA7EDFE90932B3B86A7E9D8?tgu_src_lp_domain=
www.dnwyoursoft.com&ClickID=426139843&PubID=1258 > (which could have a small editing error).
A smaller front screen appeared as an overlay which said "Recommended" and then " You are currently browsing the web with Firefox and it is recommended that you update your video player to the fastest version available. Please update to continue."
Some other urls which appeared were:
< http://www.srv2trking.com/LTSanitizer.aspx?u=http%3a%2f%2fwww.ascentive.com%2frun%2fclick%2fSEC_CPA%2fgo%2fFFTV%3fc1%3d08_107761803_ed31ad73-fc16-40f5-9cad-cccc044ea1f4
%26c2%3da-0-2464-2418-27346-0-223-0_177593 >;
< https://interyield.jmp9.com/InterYield/optout.do >;
< http://download1181bucket.com/go/windowsupdate?_alc=1&_cb=1&_ep=1&_sd=1&adprovider=advertisecom&source=advertisecom_driverupdater-us-dt-ron6&
subid=66385-1017_1008_us&subid2=interyield+jmp9&servpixel=1408768365016_1408768324035_109_469_5987611_1 >
which offered a Windows 8 update with a small front screen overlay message saying "WARNING! Please Install Update To Continue." while the main screen had a message that it was a "Windows 8 Update" with the admonition that "You are currently using - Windows 8 - which is now outdated... Please install the latest update to enhance your computer's security and performance." (part of the window screen capture was missing the full text, so I had to guess part of the message);
(NOTE that the previous entry may have a disconnect between the url and actual screen, since i could not reproduce the result);
< http://pmptrk.com/t/o/12/ > was another redirect;
< http://updatingdriversnow.com/ujp1/?source=MG_EBT-RED&kw=ubid >
another which offered a Java Update (13?) which had a front screen "Java Recommended" and "It is recommended to have Java in order to proceed.";
checking on a contact link for the Video Update,
< http://www.lpmxp2129.com/eQBQL8o9/videoupdater/contact.html >
was the url;
< http://pcupgradenow.com/su/en/4/a9551d18bc46aa01436d6fbb3caf46adc84f910f073379322921d15717c8caa4:1408769323/?a=anothervars&b=39500638&sid=ADV-sft-555&filename=Software_Update&uid=1408769323444_1408768975263_125_415_5966399_1 >
appeared with a front screen overlay message saying "UPDATES RECOMMENDED! It is recommended that you install the software to ensure your browser is the latest version. Please update to continue.";
the previous link had "Transferring data from static.getclicky.com" in the bottom left corner of the screen;
another screen with url
< http://pckeeperapp.zeobit.com/land/7.13/index.php?affid=mzb_196.8233409.1408767556.2.mzb&utm_source=ldmpcts&utm_medium=popunder&utm_campaign=pck_ldmpcts_15aug_ff&utm_term=&utm_content=&userDefiner=mzb_2380&installer=&trt=33_22526071&alert=301&tid_ext=antivirus >
was very realistic (and for all I know is legitimate), showing a logo for PCKeeper, a front screen block titled "Important Message" with "Your PC Performance is Poor." and a "Fix Now" selector button;
the main screen of the previous url had the overhead title of "How to Fix The Windows 8.1 error" which is somewhat peculiar since "The" is capitalized while "error" is not;
also the previous screen had 1. a picture of an attractive smiling young man with a reference book titled "Microsoft Certified Technology Specialist", 2. several links for various PCKeeper options, and 3. at the bottom, block ads for AAA and alleged referrals from "The Wall Street Journal", "MAXIMUMPC", and "Business Wire" and 4. a warning that "You may be presented with an optional offer(s) during INSTALLATION" which was the link followed another link for "learn more";
< http://pchelpdesk.co/cp/support-for-microsoft.php?affiliate=63783-86_777 >
was a web page for pchelpdesk.co which gave a phone number of 855-677-5531 for "Instant Tech Support for Microsoft r-copyright Products by Expert Technician";
< http://techieschoice.com/l2/support-for-microsoft.php >
gave a phone number 855-677-9945 with another convincing webpage which even had several testimonials;
< http://windows.microsoft.com/en-us/windows-live/movie-maker-file-types-faq?wlexpid=FC1B09C67C184525852C59C15A0F465E >
was one of the original webpages from which this
detour first began with a header of "What kind of files can I use in Movie Maker?";
< http://aff2click.com/?a=939&c=8108&s1=14714782&s2=w.ascentive >
which I do not have a screenshot for;
< http://apps4u.pw/v14/?entry=&exit=&i=eyJ0IjoxNDA4NzcwOTQ1Mjk5MTU4MzA4LCJjIjoiNTM4ZWQzZGNiYjMyMTM2ZDE3YzI3ZWUwIiwidSI6IjA5MzQ4ZWM2
IiwiZSI6MC4wMjEsIjEiOiJ2MTQtQ29udHJvbCJ9&url=gt.penga.info >
had the header "Recommended Download!" followed by "You are currently browsing on Chrome 35" and "Please Install the RECOMMENDED SOFTWARE -< which was the link > to Confirm You are Using the Recommended Version." along with other embedded links, options and disclaimers;
< http://landing.driverrestore.com/ldimp/02/en/?brand=Windows&subid=US|EN|windows*download >
for which I have no screenshot;
< http://lp.get-soft.com/mpc____________/?o=42&campid=14403&creaid=6104&reqid=571734621 >
with no screenshot;
< http://trk8.com/base.php?c=109&key=5555c230910ebedab5128d543147c7c6&keyword=.ascentive.co > with no screenshot; and
< http://downloadjust4u.com/download/firefox3/ > with no screenshot.
I may have missed a couple or so urls, especially the intermediate transition urls, since they tended to change very quickly. Any of my screenshots are freely available if they can offer any further value.
Since you probably have too many emails and too few volunteers, I don't expect that anyone has time to send me a personal individual response, but a universal message or warning (if appropriate) to all users would be great. I am still uncertain if I am making this a bigger deal than it actually is.
Thanks to everyone at Firefox. It has been my favorite browser for a few years now.
JamesThe ONLY support for Mozilla programs are web sites like this.
The people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.
If you want to leave feedback for Firefox developers, you can go to the Firefox ''Help'' menu and select ''Submit Feedback...'' or use [https://input.mozilla.org/feedback this link]. Your feedback gets collected at http://input.mozilla.org/, where a team of people read it and gather data about the most common issues.
Maybe you are looking for
-
How to store long text in Rich Text Format in custom table
Hi I have a requirement to store long text in the RTF in custom table.. Is this possible.. I am aware of a way to store them as Standard texts (SO10).. But not sure on if we can store them in tables.. Plz advise Thanks Geetha
-
On iPhone 5 (iOS 7), calendar alerts are 'deleted' after event occurs
This seems to be new(ish) behavior and is increasing in frequency. I have an iPhone 5 and am on iOS7. Outlook is my default calendar. (I have already checked all my settings related to alerts; that isn't the issue.) What's happening is this: I set a
-
I'm have successfully implemented spry horizontal menu but now I want to use spry horizonatl menus where the submenu is also horizontal. And, I can't seem be able to modify the SpryMenuBarHorizontal.css to get the submenu to be horizontal in both IE
-
Application to download FaceTime?
I am trying to get Facetime on my MacBook Pro running 10.6.8. When I go to the Mac App store and click on FaceTime it says "This link needs to opened with an application". What application and how do I get it on my machine? Thanks.
-
All documentation so far mentions containers and zones for Solaris Virtualization. Will LDOM's for coo lthreads servers be included as well?