What does Microsoft-Windows-Security-Auditing event with NULL SID mean?

windows-server-2012 windows-event-log

6,423

Solution 1

Local SYSTEM account's are outside the security subsystem.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx

Solution 2

In Local Context SYSTEM account is a well known SID. https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

But if we are seeing the event on a Domain Controller, something is accessing over the network. LocalSystem Account accesses network resources in context of the machine account, so you should see the SID for the computer account in AD, not NULL. So I'm still not convinced on the explanation that it is SYSTEM account. Does it imply anonymous logon is enabled for the domain?

6,423

Warren P

I'm both a Windows and Linux systems administrator and software developer. Mostly a software developer. But I end up doing way more IT than most developers do.

Updated on September 18, 2022

Comments

Warren P over 1 year
On a Windows Server 2012 machine, in Event Viewer, there was some unusual behaviour on a system, a service was stopping and I was unsure if it "stopped itself" or was forced to stop by a user action. So I went to Windows logs | Security area in eventvwr.msc and I see no logons of any ordinary users, but I do see a pattern repeating of the following kind:
```
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Description:   An account was successfully logged on.
Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0
Logon Type:         3
Impersonation Level:        Impersonation

New Logon:
    Security ID:        SYSTEM
    Logon GUID:     {a7...}
LogonProcessName: Kerberos
```
I am assuming that this means that a service is bootstrapping into the SYSTEM context, and that the NULL SID referenced in the event log is only the initial state of some unauthenticated System or Kernel or Service code. Is my interpretation correct or is this something else?

From the logon process name, I assume this is the Microsoft Kerberos service.
Warren P almost 9 years

I think I already knew that. I was wondering what the significance of a Null SID is. Is a Null SID uniquely identifying that LocalSystem is the service account context or does it have a different meaning? LocalSystem has a specific SID that is NOT NULL, doesn't it?
Colyn1337 almost 9 years

SID's are used by the security system to identify accounts. So that means any account outside the security subsystem wouldn't have need of a SID when working with local resources. There's no need for it to request a Token from an authentication source.
Colyn1337 almost 9 years

Because a security event was triggered.
Lucky Luke almost 9 years

i don't think that's accurate, the LocalSystem account does have a SID, and it's S-1-5-18 (support.microsoft.com/en-us/kb/243330). You didn't mention what event id the event is?
Colyn1337 almost 9 years

The SID is used in authentication to network resources. As we're dealing with a local instance of system, there's no need to use the SID.