Sign in with
Sign up | Sign in
Your question

Security Event 680: Do I have a problem?

Last response: in Networking
Share
February 27, 2012 1:42:09 PM

Hi,

My network is setup like this: I am on a domain with several workstations in it. A VPN is setup to a production environment where servers are not in a domain. My workstation is running Windows 7 Pro.
On one server running Windows 2003 R2, I see this kind of entry in the Security log every 2 minutes. To my knowledge, I have no permanent connection to this server (RDP is closed, no shared folder, no web page, no connection to SQL).

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/26/2012
Time: 2:37:27 AM
User: SERVER01\PDube
Computer: SERVER01
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: PDube
Source Workstation: PDUBE-PC
Error Code: 0x0


Should I be concerned about these entries? Why is this logged every 2 minutes?

Paul

More about : security event 680 problem

February 27, 2012 2:03:03 PM

Ah god my SCOM stuff comes in useful.

You have someone trying to sync something or query against AD. Find out who the person is and go talk to them.

It is logged because the security event viewer logs all access for auditing purposes.
m
0
l
February 27, 2012 2:35:18 PM

riser said:
Ah god my SCOM stuff comes in useful.

You have someone trying to sync something or query against AD. Find out who the person is and go talk to them.

It is logged because the security event viewer logs all access for auditing purposes.


Yeah! I should have thought about it: may be I'll ask something to someone in order to talk about something or some problem... :heink: 
m
0
l
Related resources
February 27, 2012 2:59:07 PM

Just realized your name is the account that is showing up in the event log.

If you have something like a blackberry trying to sync, or maybe you have an app on your computer that is trying to verify usernames, or something of that matter.

You could check the event logs on your computer to see what is making the call.
m
0
l
February 27, 2012 3:10:40 PM

riser said:
Just realized your name is the account that is showing up in the event log.

If you have something like a blackberry trying to sync, or maybe you have an app on your computer that is trying to verify usernames, or something of that matter.

You could check the event logs on your computer to see what is making the call.


The server is a web server with some SQL databases running on it.
No Blackberry or anything other device should sync to this server.
I haven't seen anything in my logs.
Although I see this in netstat, but I have no clue about what it means:
TCP 192.168.2.120:61413 192.168.1.30:epmap TIME_WAIT

192.168.2.120 is my workstation and 192.168.1.30 is the server.
m
0
l
February 27, 2012 4:02:54 PM

What account is the SQL service running as? It appears SQL might be running under your account and generating these alerts.

Beyond that it isn't something you should be too concerned about. Stop the SQL service and see if the events stop. If that is the case you may want to consider setting up a Service Account to run the SQL service.
m
0
l
February 27, 2012 6:07:43 PM

riser said:
What account is the SQL service running as? It appears SQL might be running under your account and generating these alerts.

Beyond that it isn't something you should be too concerned about. Stop the SQL service and see if the events stop. If that is the case you may want to consider setting up a Service Account to run the SQL service.


The SQL runs as local administrator. I cannot stop the service since it's a production server.
I was just wondering if I had a real security issue here (trojan, spyware or something like that) because I just cannot understand what needs to login (or seem to login) as my user every 2 minutes.
m
0
l
!