What does Microsoft-Windows-Security-Auditing event with NULL SID mean?
Solution 1
Local SYSTEM account's are outside the security subsystem.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
Solution 2
In Local Context SYSTEM account is a well known SID. https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
But if we are seeing the event on a Domain Controller, something is accessing over the network. LocalSystem Account accesses network resources in context of the machine account, so you should see the SID for the computer account in AD, not NULL. So I'm still not convinced on the explanation that it is SYSTEM account. Does it imply anonymous logon is enabled for the domain?
Related videos on Youtube
Warren P
I'm both a Windows and Linux systems administrator and software developer. Mostly a software developer. But I end up doing way more IT than most developers do.
Updated on September 18, 2022Comments
-
Warren P over 1 year
On a Windows Server 2012 machine, in Event Viewer, there was some unusual behaviour on a system, a service was stopping and I was unsure if it "stopped itself" or was forced to stop by a user action. So I went to
Windows logs | Security
area ineventvwr.msc
and I see no logons of any ordinary users, but I do see a pattern repeating of the following kind:Log Name: Security Source: Microsoft-Windows-Security-Auditing Task Category: Logon Level: Information Keywords: Audit Success User: N/A Description: An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Logon GUID: {a7...} LogonProcessName: Kerberos
I am assuming that this means that a service is bootstrapping into the SYSTEM context, and that the NULL SID referenced in the event log is only the initial state of some unauthenticated System or Kernel or Service code. Is my interpretation correct or is this something else?
From the logon process name, I assume this is the Microsoft Kerberos service.
-
Warren P almost 9 yearsI think I already knew that. I was wondering what the significance of a Null SID is. Is a Null SID uniquely identifying that LocalSystem is the service account context or does it have a different meaning? LocalSystem has a specific SID that is NOT NULL, doesn't it?
-
Colyn1337 almost 9 yearsSID's are used by the security system to identify accounts. So that means any account outside the security subsystem wouldn't have need of a SID when working with local resources. There's no need for it to request a Token from an authentication source.
-
Colyn1337 almost 9 yearsBecause a security event was triggered.
-
Lucky Luke almost 9 yearsi don't think that's accurate, the LocalSystem account does have a SID, and it's S-1-5-18 (support.microsoft.com/en-us/kb/243330). You didn't mention what event id the event is?
-
Colyn1337 almost 9 yearsThe SID is used in authentication to network resources. As we're dealing with a local instance of system, there's no need to use the SID.