Solved

"Change Password Attempts" in W2K Security Log.

Posted on 2003-10-27
2
448 Views
Last Modified: 2013-12-04
Hello everybody,

I'm running W2KPro SP4 on a standalone stantion for internet access and testing/learning purposes; and I recently installed MBSA (Microsoft Baseline Security Analyzer v1.1.1) and ran a full scan, and had to download some missing hotfixes.
Anyways, few days later I was going through my Security Logs and found tens of password-failure attempts, a typical example is:
--------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Management
Event ID:                   627
Date:            24/10/2003
Time:            02:08:16 AM
User:            MyMachine\XZZ
Computer:                 MyMachine
Description:
Change Password Attempt:
       Target Account Name: Administrator
       Target Domain:      MyMachine
       Target Account ID:      MyMachine\Administrator
       Caller User Name:      XZZ
       Caller Domain:      MyMachine
       Caller Logon ID:      (0x0,0xC991)
       Privileges:      -
--------------------------------------------------------------------
Whats intresting is that I'm not using the default "Administrator" name for the real admin user, yet most of the attempts were made to the real admin account (XZZ, in my example).
Could it be a hacking activity, or simply the MBSA software I installed was doing some routine checks?

Thanks,
0
Comment
Question by:xzz_at_operamail
2 Comments
 
LVL 5

Accepted Solution

by:
juliancrawford earned 125 total points
ID: 9631867
Even though you have changed the administrator username its not hard for someone who knows what they are doing to walk through the SIDs to obtain the correct administrator username - so I would not rule out external hacker activity.

However, that put aside I would say that it is most likely a result of the MBSA.
I presume that the date on these events are the same as when you ran your MBSA.
And I would expect to see an IP address recorded if it was an external intrusion attempt.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsawp.asp
Note: This check may produce event log entries in the Security log if auditing is enabled on the machine.

Microsoft does advise that running MBSA will produce log events.

:)
0
 

Author Comment

by:xzz_at_operamail
ID: 9637681
Thanks juliancrawford.
Apparently it was caused by MBSA as I first suspected. and thanks once more for pointing out the SIDs issue, I didn't know of that before.

xzz
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Send secure, cloud-based, encrypted alerts and maintain HIPAA compliant messaging. Integrates priority & secure messaging into one application. Ensures IT, emergency respondents and healthcare professionals that their critical messages are never mis…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now