Windows Server 2019 Event Viewer shows excessive Security Event Logs (e.g. 5379, 5382, 4797, 4798, 4946, 4948)

stevenhohk 6 Reputation points
2021-09-08T09:41:09.423+00:00

When I log in to the window server 2019. it is discovered that there are excessive Security Event Logs for:

-5379 Credential Manager credentials were read
-5382 Vault credentials were read
-4797 An attempt was made to query the existence of a blank password for an account
-4798 A user's local group membership was enumerated
-4946 A change was made to the Windows Firewall exception list. A rule was added
-4948 A change was made to the Windows Firewall exception list. A rule was deleted

We have several new servers installed Windows Server 2019, all the servers are experiencing same issues, especially event 5379 appeared 20 times a minutes and the other events follows.

Since the servers are new, we are sure that we did not perform such actions as described in the event logs. Interestingly, for 4946, 4798, the user name described in the log is "NULL" and "Guest". For 4797, 4798, 5379, all the local accounts are involved as described in user name.

Checking auditpol /get /category:* , we have configured the following:
System Integrity (Success and Failure)
Other System Events (Success and Failure)
Security State Change (Success)
Logon (Success and Failure)
Logoff (Success)
Account Lockout (Success)
Special Logon (Success)
Network Policy Server (Success and Failure)
Audit Policy Change (Success)
Authentication Policy Change (Success)
Computer Account Management (Success)
Security Group Management (Success)
User Account Management (Success)
Directory Service Access (Success)
Kerberos Service Ticket Operations (Success)
Kerberos Authentication Service (Success)
Credential Validation (Success)

What are the causes to lead this abnormal action?

What condition will trigger such event logs ?

Are there any security issues for the such events?

Is that a known issue for these excessive events in Windows Server 2019? Because I also find many people talking about similar issues in the forums

Thanks.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,444 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,724 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,821 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Reza-Ameri 16,826 Reputation points
    2021-09-09T15:12:01.367+00:00

    It look like an issue in the Windows Server.
    Try find a Windows 10 device and open the Feedback Hub app and in the form select Windows Server and submit all log files and explain the issue there.
    Those who are facing the same issue try to upvote the issue (if it is in the Feedback Hub) or create a new bug report.

    0 comments
  2. Paul Mertens 1 Reputation point
    2021-10-19T12:05:19.863+00:00

    I'm having similar issues on Windows 10 Pro. Whenever the PC is not actively being used, lsass.exe logs an excessive amount of events, e.g. 5379, 4672, 4624, 4634.

    Most are for the logged on user, but also other users and SYSTEM.

    0 comments