Detailed analysis of win2003 nine major security event ID

  
                

Often floating on the Internet, how can you not slash? This is a vivid portrayal of the status quo of computer security for netizens. Even if it is a technical expert who is good at self-protection, it will inevitably be infected with viruses or Trojans. Not to mention the white netizens, how to protect computer security has become a matter of great concern to all netizens. To this end, today we will explain the Windows Server 2003 security event ID analysis, and hope to help us quickly identify the security events generated by the Microsoft? Windows Server 2003 operating system, which means what happened.

I. Account Login Event

The following shows the security events generated by the “Auditing Account Login Event&Security; security template settings.

672: The authentication service (AS) ticket has been successfully issued and verified.

673: The Authorized Ticket Service (TGS) ticket is authorized. TGS is a ticket issued by the Kerberos v5 Ticket Authorization Service (TGS) that allows users to authenticate specific services in the domain.

674: The security principal has updated the AS ticket or TGS ticket.

675: Pre-authentication failed. The Key Distribution Center (KDC) generates this event when the user types the wrong password.

676: The authentication ticket request failed. This event is not generated in members of the Windows XP Professional or Windows Server family.

677: The TGS ticket is not authorized. This event is not generated in members of the Windows XP Professional or Windows Server family.

678: The account has been successfully mapped to a domain account.

681: Login failed. Try a domain account login. This event is not generated in members of the Windows XP Professional or Windows Server family.

682: The user has reconnected to a disconnected terminal server session.

683: The user disconnects the terminal server session without logging out.

Second, Account Management Events

The following shows the security events generated by the "Audit Account Management" security template settings.

624: User account has been created.

627: User password has been changed.

628: The user password has been set.

630: User account has been deleted.

631: The global group has been created.

632: Members have been added to the global group.

633: The member has been removed from the global group.

634: The global group has been deleted.

635: A new local group has been created.

636: Members have been added to the local group.

637: The member has been removed from the local group.

638: The local group has been deleted.

639: The local group account has been changed.

641: The global group account has been changed.

642: User account has been changed.

643: The domain policy has been modified.

644: User accounts are automatically locked.

645: The computer account has been created.

646: The computer account has been changed.

647: The computer account has been deleted.

648: Disabled security local security group has been created.

Note:

From the official name, SECURITY_DISABLED means that the group cannot be used to authorize access checks.

649: Disabled security local security groups have changed.

650: Members have been added to a security-free local security group.

651: Members have been removed from the security-secured local security group.

652: Disabled security local groups have been deleted.

653: Disabled security global group has been created.

654: Disabled security global groups have changed.

655: Members have been added to a global group with security disabled.

656: The member has been removed from the global group with security disabled.

657: Disabled security global groups have been removed.

658: A universal group with security enabled has been created.

659: The universal group with security enabled has changed.

660: Members have been added to the security-enabled universal group.

661: Members have been removed from the security-enabled universal group.

662: The universal group with security enabled has been removed.

663: Disabled security universal group has been created.

664: Disabled security universal groups have changed.

665: Members have been added to the universal group with security disabled.

666: Members have been removed from the universal group with security disabled.

667: The disabled universal group has been removed.

668: The group type has changed.

684: The security descriptor for the management group member has been set.

Note:

On a domain controller, every 60 minutes, the background thread searches for and applies to all members of the management group (such as domain, enterprise, and schema administrators) A fixed security descriptor. The event has been logged.

685: The account name has been changed. Previous1234Next page Total 4 pages

Copyright © Windows knowledge All Rights Reserved