question

stevenhohk-0245 avatar image
1 Vote"
stevenhohk-0245 asked PaulMertens-9843 answered

Windows Server 2019 Event Viewer shows excessive Security Event Logs (e.g. 5379, 5382, 4797, 4798, 4946, 4948)

When I log in to the window server 2019. it is discovered that there are excessive Security Event Logs for:

-5379 Credential Manager credentials were read
-5382 Vault credentials were read
-4797 An attempt was made to query the existence of a blank password for an account
-4798 A user's local group membership was enumerated
-4946 A change was made to the Windows Firewall exception list. A rule was added
-4948 A change was made to the Windows Firewall exception list. A rule was deleted

We have several new servers installed Windows Server 2019, all the servers are experiencing same issues, especially event 5379 appeared 20 times a minutes and the other events follows.

Since the servers are new, we are sure that we did not perform such actions as described in the event logs. Interestingly, for 4946, 4798, the user name described in the log is "NULL" and "Guest". For 4797, 4798, 5379, all the local accounts are involved as described in user name.

Checking auditpol /get /category:* , we have configured the following:
System Integrity (Success and Failure)
Other System Events (Success and Failure)
Security State Change (Success)
Logon (Success and Failure)
Logoff (Success)
Account Lockout (Success)
Special Logon (Success)
Network Policy Server (Success and Failure)
Audit Policy Change (Success)
Authentication Policy Change (Success)
Computer Account Management (Success)
Security Group Management (Success)
User Account Management (Success)
Directory Service Access (Success)
Kerberos Service Ticket Operations (Success)
Kerberos Authentication Service (Success)
Credential Validation (Success)


What are the causes to lead this abnormal action?

What condition will trigger such event logs ?

Are there any security issues for the such events?

Is that a known issue for these excessive events in Windows Server 2019? Because I also find many people talking about similar issues in the forums

Thanks.

windows-active-directorywindows-server-2019windows-group-policywindows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you installed any program or application on your Windows Server system?
Are you connecting it to network or internet?
Just for test try disconnect your server from all networks and observe and see if the issue reproduces?

0 Votes 0 ·

Only installed symantec endpoint protection software, but I believe it is not related because we used Windows Server 2012 before with the same antivirus software but do not have such issues. The servers are currently not connected to the internet, only connected to each other within our internal network.

0 Votes 0 ·
Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

It look like an issue in the Windows Server.
Try find a Windows 10 device and open the Feedback Hub app and in the form select Windows Server and submit all log files and explain the issue there.
Those who are facing the same issue try to upvote the issue (if it is in the Feedback Hub) or create a new bug report.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulMertens-9843 avatar image
0 Votes"
PaulMertens-9843 answered

I'm having similar issues on Windows 10 Pro. Whenever the PC is not actively being used, lsass.exe logs an excessive amount of events, e.g. 5379, 4672, 4624, 4634.

Most are for the logged on user, but also other users and SYSTEM.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.