On a Windows Server 2012 machine, in Event Viewer, there was some unusual behaviour on a system, a service was stopping and I was unsure if it "stopped itself" or was forced to stop by a user action. So I went to Windows logs | Security area in eventvwr.msc and I see no logons of any ordinary users, but I do see a pattern repeating of the following kind:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Description: An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Logon GUID: {a7...}
LogonProcessName: Kerberos
I am assuming that this means that a service is bootstrapping into the SYSTEM context, and that the NULL SID referenced in the event log is only the initial state of some unauthenticated System or Kernel or Service code. Is my interpretation correct or is this something else?
From the logon process name, I assume this is the Microsoft Kerberos service.
In Local Context SYSTEM account is a well known SID. https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
But if we are seeing the event on a Domain Controller, something is accessing over the network. LocalSystem Account accesses network resources in context of the machine account, so you should see the SID for the computer account in AD, not NULL. So I'm still not convinced on the explanation that it is SYSTEM account. Does it imply anonymous logon is enabled for the domain?
Local SYSTEM account's are outside the security subsystem.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx