Click here to get back home

Server refreshes its security policy with wrong values
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Server refreshes its security policy with wrong values Alexander Groß 07-09-2006
Get Chitika Premium
Posted by Alexander Groß on July 9, 2006, 8:29 am
Please log in for more thread options
 Hello everybody,

I've got a new Windows Server 2003 R2 set up. The Audit Policy is set to
enable successful and failed logons. These settings are applied by me but
after some time, i.e. 8 AM the next morning the server logs the following
policy change.

Event ID: 612
User: NT AUTHORITY\SYSTEM
Audit Policy Change:
New Policy:
Success Failure
- - Logon/Logoff
- - Object Access
- - Privilege Use
- - Account Management
- - Policy Change
- + System
- - Detailed Tracking
- - Directory Service Access
- - Account Logon
Changed By:
User Name: ARWEN$
Domain Name: WG
Logon ID: (0x0,0x3E7)

This basically means that my previously applied Logon/Logoff audit was
turned off. I'm not sure which process triggered the update, it seems to
come from a system process as the User Name ARWEN$ (the server name)
suggests.

The server is a standalone server, AD is not installed. Does anyone know why
this happens and how I could fix the wrong policy update?

Best regards,

Alex
--
_______________________________________

Alexander Groß
Dipl.-Ing. (BA) für Informationstechnik
PLEASEAlexanderGrossREMOVETHIS@gmx.de
http://www.it99.org/axl/
ICQ# 36765668
_______________________________________



Posted by Caledai on July 9, 2006, 9:01 am
Please log in for more thread options
 Is the server on a domain at all?
If so it will be picking up the Default Domain policy at the least, whenever
the Group Policy is updated.

The server doesn't need to have AD installed, as GP is used to manage and
secure workstations which don't have AD.

If you are on a domain - run a model to work out what gpo's are being
applied.
You can also run rsop.msc, but the detail isn't as great on the machine. It
will only tell you what policies have been applied - whereas the model will
give you a break down on which policy has won for each setting.


> Hello everybody,
>
> I've got a new Windows Server 2003 R2 set up. The Audit Policy is set to
> enable successful and failed logons. These settings are applied by me but
> after some time, i.e. 8 AM the next morning the server logs the following
> policy change.
>
> Event ID: 612
> User: NT AUTHORITY\SYSTEM
> Audit Policy Change:
> New Policy:
> Success Failure
> - - Logon/Logoff
> - - Object Access
> - - Privilege Use
> - - Account Management
> - - Policy Change
> - + System
> - - Detailed Tracking
> - - Directory Service Access
> - - Account Logon
> Changed By:
> User Name: ARWEN$
> Domain Name: WG
> Logon ID: (0x0,0x3E7)
>
> This basically means that my previously applied Logon/Logoff audit was
> turned off. I'm not sure which process triggered the update, it seems to
> come from a system process as the User Name ARWEN$ (the server name)
> suggests.
>
> The server is a standalone server, AD is not installed. Does anyone know
> why
> this happens and how I could fix the wrong policy update?
>
> Best regards,
>
> Alex
> --
> _______________________________________
>
> Alexander Groß
> Dipl.-Ing. (BA) für Informationstechnik
> PLEASEAlexanderGrossREMOVETHIS@gmx.de
> http://www.it99.org/axl/
> ICQ# 36765668
> _______________________________________
>
>



Posted by Alexander Groß on July 9, 2006, 2:41 pm
Please log in for more thread options
Hi Caledau,

| Is the server on a domain at all?

No, its just a single server in a workgroup with no domain setup at all.
I've set the audit policy using gpedit.msc and secpol.msc, as far as I can
tell there's no difference between those two.

| You can also run rsop.msc, but the detail isn't as great on the
| machine. It will only tell you what policies have been applied

rsop.msc just says that each audit setting is "Not defined". I'm not sure
where this comes from, because the logon script I've defined using Group
Policy shows up.

Strangely, just the logon/logoff audit is turned off, my other audits are
kept.

Best regards,

Alex

--
_______________________________________

Alexander Groß
Dipl.-Ing. (BA) für Informationstechnik
PLEASEAlexanderGrossREMOVETHIS@gmx.de
http://www.it99.org/axl/
ICQ# 36765668
_______________________________________



Posted by Steven L Umbach on July 9, 2006, 5:51 pm
Please log in for more thread options
It sounds like some process using secedit in a batch file referencing a
security template may be making the change. I would check to see if any
Scheduled Task or AT command is configured to run at that time or possibly
a Group Policy startup script if the computer was started up at 8:00
. --- Steve


> Hello everybody,
>
> I've got a new Windows Server 2003 R2 set up. The Audit Policy is set to
> enable successful and failed logons. These settings are applied by me but
> after some time, i.e. 8 AM the next morning the server logs the following
> policy change.
>
> Event ID: 612
> User: NT AUTHORITY\SYSTEM
> Audit Policy Change:
> New Policy:
> Success Failure
> - - Logon/Logoff
> - - Object Access
> - - Privilege Use
> - - Account Management
> - - Policy Change
> - + System
> - - Detailed Tracking
> - - Directory Service Access
> - - Account Logon
> Changed By:
> User Name: ARWEN$
> Domain Name: WG
> Logon ID: (0x0,0x3E7)
>
> This basically means that my previously applied Logon/Logoff audit was
> turned off. I'm not sure which process triggered the update, it seems to
> come from a system process as the User Name ARWEN$ (the server name)
> suggests.
>
> The server is a standalone server, AD is not installed. Does anyone know
> why
> this happens and how I could fix the wrong policy update?
>
> Best regards,
>
> Alex
> --
> _______________________________________
>
> Alexander Groß
> Dipl.-Ing. (BA) für Informationstechnik
> PLEASEAlexanderGrossREMOVETHIS@gmx.de
> http://www.it99.org/axl/
> ICQ# 36765668
> _______________________________________
>
>



Posted by Alexander Groß on July 10, 2006, 11:00 am
Please log in for more thread options
Hi Steven,

| It sounds like some process using secedit in a batch file referencing
| a security template may be making the change. I would check to see if
| any Scheduled Task or AT command is configured to run at that time


there are no tasks scheduled on the machine. The audit policy was updated
around 8 AM two times, but as the Event Log shows, it has also been updated
by NT AUTHORITY\SYSTEM at 4:03 PM, 4:24 PM, 5:23 PM, 5:56 PM and 6:53 PM
yesterday.

Any ideas how to find out which process triggers the update?

Best regards,

Alex
--
_______________________________________

Alexander Groß
Dipl.-Ing. (BA) für Informationstechnik
PLEASEAlexanderGrossREMOVETHIS@gmx.de
http://www.it99.org/axl/
ICQ# 36765668
_______________________________________



Similar ThreadsPosted
MSS tcp registry values in windows 2003 server security guide August 20, 2006, 7:23 am
MSS tcp registry values in windwos 2003 server security guide August 21, 2006, 2:33 am
local security policy on windows 2003 server April 16, 2007, 10:28 am
Security Policy Small Business Server 2008 November 3, 2008, 1:20 pm
Determining Window Server 2003 Security Policy for US Office November 8, 2005, 11:19 am
Local Security Policy MMC secpol.msc error on Windows Server 2003 March 9, 2007, 10:01 am
Pass Through Authentication chooses wrong user account on remote server?? May 9, 2006, 12:13 pm
Security Policy Can't be apply January 28, 2008, 11:37 pm
Domain Controller Security Policy August 12, 2005, 4:31 pm
Audit Policy (security logs) August 20, 2007, 10:18 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap