Question : token leak?

We have a Windows 2003 domain with about 85 XP SP2 workstations. One of the member servers is getting thousands of Security log entries every hour from about 6 user logons. This server is a file server with internal sharepoints, a third-party, SQL Server-based database, and works as the TrendMicro central computer. We are using the default security audit settings. The seurity log is set for 16mb and and presently only holds the last 24-36 hours of activity. We don't want to turn off security logging. How do we track down and turn off this activitiy?

The Event IDS are 538, 576, and 540. We suspect some kind of Kerberos "token leak". Anyone have a clue?

Answer : token leak?

Possible solution, though it seems way off beam...

I had this problem and found that, in part, it was due to the HP Toolbox that was installed on some of the users pc's. (Which gels with yours only coming from 6 users).

Background:
If you want to be able to get a scan from the HP multifunction directly from your desktop then you need to install the full (over)blown HP Toolbox - which includes TomCat (hpbpsttp.exe). Then, every 30 seconds TomCat runs a port resolver (hpbpro.exe) which then can add up to 28 entries in 1 second for each of the users that has the HP Toolbox installed... just brilliant :-\ Apparently the port resolver below version 1.05 is leaky and causes these sort of issues (incl. chewing cpu, memory). The latest is version 2.0.45 but just try getting hold of it... don't even bother with hpbprofix.exe as it still installs a leaky older version of the module.

Solution:
If your users only want the software installed so they can scan, then remove the TomCat entry from the Run branch of the LM registry. (Obviously you'll need to log out then back in again to stop the app after removing it from registy.) The only thing they won't be able to do is run the HP Toolbox which is a web interface to the printer and fax capabilities.

Notes:
HP Toolbox app (hpbpsttp.exe) may not appear in your Task Manager - it didn't on any of my client boxes.
hpbpro.exe only appears for a split second every 30 seconds in Task Manager - screen shot when you see the flicker to confirm (on client box).

**
So now I have stopped all the extra authentications from domain users, but am still left with the problem that the SYSTEM user is logging multiple 538/540/576 entries. Aaarrgghh!

~Karen

Random Solutions

What is the easiest way to filter out all non-printable characters from a string?

lock page data row vs all pages

Error 0x800CCC80: None of the Auth. methods supported

forwarding calendar appointment as hyperlink

How to fix error code 39 installing a Fujitsu Scansnap S510?

Create custom stationary

Vista Dual Boot

SidebySide error.

Lost Contacts in Outlook 2007

Keep getting "booted" off the network...