When I log in to the window server 2019. it is discovered that there are excessive Security Event Logs for:
-5379 Credential Manager credentials were read
-5382 Vault credentials were read
-4797 An attempt was made to query the existence of a blank password for an account
-4798 A user's local group membership was enumerated
-4946 A change was made to the Windows Firewall exception list. A rule was added
-4948 A change was made to the Windows Firewall exception list. A rule was deleted
We have several new servers installed Windows Server 2019, all the servers are experiencing same issues, especially event 5379 appeared 20 times a minutes and the other events follows.
Since the servers are new, we are sure that we did not perform such actions as described in the event logs. Interestingly, for 4946, 4798, the user name described in the log is "NULL" and "Guest". For 4797, 4798, 5379, all the local accounts are involved as described in user name.
Checking auditpol /get /category:* , we have configured the following:
System Integrity (Success and Failure)
Other System Events (Success and Failure)
Security State Change (Success)
Logon (Success and Failure)
Account Lockout (Success)
Special Logon (Success)
Network Policy Server (Success and Failure)
Audit Policy Change (Success)
Authentication Policy Change (Success)
Computer Account Management (Success)
Security Group Management (Success)
User Account Management (Success)
Directory Service Access (Success)
Kerberos Service Ticket Operations (Success)
Kerberos Authentication Service (Success)
Credential Validation (Success)
What are the causes to lead this abnormal action?
What condition will trigger such event logs ?
Are there any security issues for the such events?
Is that a known issue for these excessive events in Windows Server 2019? Because I also find many people talking about similar issues in the forums