[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 466
  • Last Modified:

"Change Password Attempts" in W2K Security Log.

Hello everybody,

I'm running W2KPro SP4 on a standalone stantion for internet access and testing/learning purposes; and I recently installed MBSA (Microsoft Baseline Security Analyzer v1.1.1) and ran a full scan, and had to download some missing hotfixes.
Anyways, few days later I was going through my Security Logs and found tens of password-failure attempts, a typical example is:
--------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Management
Event ID:                   627
Date:            24/10/2003
Time:            02:08:16 AM
User:            MyMachine\XZZ
Computer:                 MyMachine
Description:
Change Password Attempt:
       Target Account Name: Administrator
       Target Domain:      MyMachine
       Target Account ID:      MyMachine\Administrator
       Caller User Name:      XZZ
       Caller Domain:      MyMachine
       Caller Logon ID:      (0x0,0xC991)
       Privileges:      -
--------------------------------------------------------------------
Whats intresting is that I'm not using the default "Administrator" name for the real admin user, yet most of the attempts were made to the real admin account (XZZ, in my example).
Could it be a hacking activity, or simply the MBSA software I installed was doing some routine checks?

Thanks,
0
xzz_at_operamail
Asked:
xzz_at_operamail
1 Solution
 
juliancrawfordCommented:
Even though you have changed the administrator username its not hard for someone who knows what they are doing to walk through the SIDs to obtain the correct administrator username - so I would not rule out external hacker activity.

However, that put aside I would say that it is most likely a result of the MBSA.
I presume that the date on these events are the same as when you ran your MBSA.
And I would expect to see an IP address recorded if it was an external intrusion attempt.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsawp.asp
Note: This check may produce event log entries in the Security log if auditing is enabled on the machine.

Microsoft does advise that running MBSA will produce log events.

:)
0
 
xzz_at_operamailAuthor Commented:
Thanks juliancrawford.
Apparently it was caused by MBSA as I first suspected. and thanks once more for pointing out the SIDs issue, I didn't know of that before.

xzz
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now