"Change Password Attempts" in W2K Security Log.

Hello everybody,

I'm running W2KPro SP4 on a standalone stantion for internet access and testing/learning purposes; and I recently installed MBSA (Microsoft Baseline Security Analyzer v1.1.1) and ran a full scan, and had to download some missing hotfixes.
Anyways, few days later I was going through my Security Logs and found tens of password-failure attempts, a typical example is:
--------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Management
Event ID:                   627
Date:            24/10/2003
Time:            02:08:16 AM
User:            MyMachine\XZZ
Computer:                 MyMachine
Description:
Change Password Attempt:
       Target Account Name: Administrator
       Target Domain:      MyMachine
       Target Account ID:      MyMachine\Administrator
       Caller User Name:      XZZ
       Caller Domain:      MyMachine
       Caller Logon ID:      (0x0,0xC991)
       Privileges:      -
--------------------------------------------------------------------
Whats intresting is that I'm not using the default "Administrator" name for the real admin user, yet most of the attempts were made to the real admin account (XZZ, in my example).
Could it be a hacking activity, or simply the MBSA software I installed was doing some routine checks?

Thanks,
xzz_at_operamailAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

juliancrawfordCommented:
Even though you have changed the administrator username its not hard for someone who knows what they are doing to walk through the SIDs to obtain the correct administrator username - so I would not rule out external hacker activity.

However, that put aside I would say that it is most likely a result of the MBSA.
I presume that the date on these events are the same as when you ran your MBSA.
And I would expect to see an IP address recorded if it was an external intrusion attempt.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsawp.asp
Note: This check may produce event log entries in the Security log if auditing is enabled on the machine.

Microsoft does advise that running MBSA will produce log events.

:)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xzz_at_operamailAuthor Commented:
Thanks juliancrawford.
Apparently it was caused by MBSA as I first suspected. and thanks once more for pointing out the SIDs issue, I didn't know of that before.

xzz
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.