Whenever I reboot my Windows 2000 server, it logs numerous events, including event ID 514 (An authentication package has been loaded by the Local Security Authority), event ID 515 (A trusted logon process has registered with the Local Security Authority), and event ID 518 (A notification package has been loaded by the Security Account Manager). What are these events, and are they significant?
Win2K's security subsystem is designed modularly to support alternate logon, authentication, and password-change methods. For example, Win2K lets you authenticate through NT LAN Manager (NTLM) or Kerberos. Therefore, Win2K loads two authentication package DLLs whenever a Win2K computer boots. The details of event ID 514 specify which DLL Win2K loaded.
The NTLM authentication package is \winnt\system32\msv1_0.dll, and the Kerberos authentication package is \winnt\system32\kerberos.dll. (Note that these events might supply an erroneous drive letter.) Win2K uses many different logon processes to support RAS connections, network logons, and interactive logons at the console—each of which triggers event ID 515. Win2K also supports notification-package DLLs that let you plug in functionality that the OS invokes whenever users change their passwords. You can use notification packages to synchronize passwords on other applications or OSs or to implement additional restrictions on password content. These events aren't significant for monitoring the Security log day to day because they represent ordinary activity associated with a system start.
Event ID 518 could indicate a sophisticated attack. An intruder could code a rogue logon process, authentication package, or notification package to intercept and redirect user passwords or accept rogue logon requests. However, such an attack is improbable because such an intruder would need a high level of expertise and significant prior authority to install a rogue package. The most probable attack would involve an intruder writing a rogue notification package to intercept password changes and send them to the attacker. Notification packages are the easiest to write because they require only two function calls. An extremely high-security site might document legitimate logon processes, authentication packages, and notification packages to verify that only those processes and events are loaded each time the system boots. However, site administrators would also need to verify that a rogue file hadn't been substituted for a legitimate file.
