I have a domain controller installed in my home office, 1 domain controller, 1 PC, 1 user.
I'm running Microsoft Server 2019.
When I look in the Security Event log, I see thousands of Logon (Event ID 4624), Logoff (Event ID 4634 and Special Logon (Event ID 4672) events - hundreds per hour being generated.
A sample logon event (Event ID 4624):
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: SYSTEM
Account Name: DC$
Account Domain: ACME.LTD
Logon ID: 0x234F28
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
I've researched these and online and found conflicting advice, including suggesting that the server is compromised, that the network is compromised, that this is from workstations access the server and that these are the server authenticating against itself.
The latter is why on a hunch, I cleared the logs and disconnected the server from the network - these events carried on being generated.
Frustratingly, with all this noise I have no way of spotting actual suspicious errors.
Any help would be appreciated!!
