Security Event 680: Do I have a problem?

pdube

Honorable
Feb 18, 2012
12
0
10,510
Hi,

My network is setup like this: I am on a domain with several workstations in it. A VPN is setup to a production environment where servers are not in a domain. My workstation is running Windows 7 Pro.
On one server running Windows 2003 R2, I see this kind of entry in the Security log every 2 minutes. To my knowledge, I have no permanent connection to this server (RDP is closed, no shared folder, no web page, no connection to SQL).

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/26/2012
Time: 2:37:27 AM
User: SERVER01\PDube
Computer: SERVER01
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: PDube
Source Workstation: PDUBE-PC
Error Code: 0x0


Should I be concerned about these entries? Why is this logged every 2 minutes?

Paul
 

riser

Illustrious
Ah god my SCOM stuff comes in useful.

You have someone trying to sync something or query against AD. Find out who the person is and go talk to them.

It is logged because the security event viewer logs all access for auditing purposes.
 

pdube

Honorable
Feb 18, 2012
12
0
10,510


Yeah! I should have thought about it: may be I'll ask something to someone in order to talk about something or some problem... :heink:
 

riser

Illustrious
Just realized your name is the account that is showing up in the event log.

If you have something like a blackberry trying to sync, or maybe you have an app on your computer that is trying to verify usernames, or something of that matter.

You could check the event logs on your computer to see what is making the call.
 

pdube

Honorable
Feb 18, 2012
12
0
10,510


The server is a web server with some SQL databases running on it.
No Blackberry or anything other device should sync to this server.
I haven't seen anything in my logs.
Although I see this in netstat, but I have no clue about what it means:
TCP 192.168.2.120:61413 192.168.1.30:epmap TIME_WAIT

192.168.2.120 is my workstation and 192.168.1.30 is the server.
 

riser

Illustrious
What account is the SQL service running as? It appears SQL might be running under your account and generating these alerts.

Beyond that it isn't something you should be too concerned about. Stop the SQL service and see if the events stop. If that is the case you may want to consider setting up a Service Account to run the SQL service.
 

pdube

Honorable
Feb 18, 2012
12
0
10,510


The SQL runs as local administrator. I cannot stop the service since it's a production server.
I was just wondering if I had a real security issue here (trojan, spyware or something like that) because I just cannot understand what needs to login (or seem to login) as my user every 2 minutes.