Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 599 Source: Security

Source
Description
Unprotection of auditable protected data.
Data Description: <data description>
Key Identifier: 46f0e4e0-0056-4dcf-8f48-04c53e1a698d
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Failure Reason: <failure code>
Comments
 
This event may occur when you install SEP 11.x on Microsoft Server with Domain Controller. They solution from Symantec is:

1. Go to Start -> Programs -> Administrative Tools -> Local Security Policy.
2. Expand Local Policies.
3. Open Audit Policy.
4. In the right pane, open "Audit Process Tracking"
5. Uncheck "Failure" then click "Apply”.

See the link to “Symantec Support Document ID: 2008070209482648” for details on this issue.
As per Microsoft: "A program used the CryptUnprotectData function to read data encrypted by Data Protection API (DPAPI). The name of the encrypted data is provided in the event message, but because this name is determined by the program that originally created the encrypted data, it might not be recognizable. This event is logged for informational purposes only". See MSW2KDB for more details.
Failure code 0x8009000B, Data Description: pws or Data Description: Export Flag:
From a newsgroup post: "The problem seems to be related to Protected Storage and password, OS security feature. Have you performed an administrative password reset or change password?
On Windows XP, Protected Storage uses the user's password exclusively to encrypt user data, such as RSA private keys for current user key container. Whenever the user password is changed, Protected Storage subsystem is automatically notified of this event, and is supplied with both the old and new passwords. This allows Protected Storage to decrypt all of its master keys with the old password, and re-encrypt them using the new password.
Prior to Windows XP, a machine secret was used by Protected Storage to encrypt the master RSA keys rather than the user password exclusively. Using a machine secret made Protected Storage more robust, but the user data could be accessed by anyone with local administrative access to the
machine.
If you use the standard change password mechanism by entering the old and new passwords, everything will work fine. If you performed an administrative password reset, the old password is not available, and so access to the master keys is lost. This is by design in Windows XP. In this
scenario, CryptAcquireContext() API will fail with NTE_BAD_KEYSET (80090016), even if the key container already exists and the caller has permissions to open the key container."
Failure code 0x2 - no info
Failure code 0x8009000B, Data Description: Enterprise Credential Set - no info

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...