xzz_at_operamail
asked on
"Change Password Attempts" in W2K Security Log.
Hello everybody,
I'm running W2KPro SP4 on a standalone stantion for internet access and testing/learning purposes; and I recently installed MBSA (Microsoft Baseline Security Analyzer v1.1.1) and ran a full scan, and had to download some missing hotfixes.
Anyways, few days later I was going through my Security Logs and found tens of password-failure attempts, a typical example is:
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 24/10/2003
Time: 02:08:16 AM
User: MyMachine\XZZ
Computer: MyMachine
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: MyMachine
Target Account ID: MyMachine\Administrator
Caller User Name: XZZ
Caller Domain: MyMachine
Caller Logon ID: (0x0,0xC991)
Privileges: -
--------------------------
Whats intresting is that I'm not using the default "Administrator" name for the real admin user, yet most of the attempts were made to the real admin account (XZZ, in my example).
Could it be a hacking activity, or simply the MBSA software I installed was doing some routine checks?
Thanks,
I'm running W2KPro SP4 on a standalone stantion for internet access and testing/learning purposes; and I recently installed MBSA (Microsoft Baseline Security Analyzer v1.1.1) and ran a full scan, and had to download some missing hotfixes.
Anyways, few days later I was going through my Security Logs and found tens of password-failure attempts, a typical example is:
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 24/10/2003
Time: 02:08:16 AM
User: MyMachine\XZZ
Computer: MyMachine
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: MyMachine
Target Account ID: MyMachine\Administrator
Caller User Name: XZZ
Caller Domain: MyMachine
Caller Logon ID: (0x0,0xC991)
Privileges: -
--------------------------
Whats intresting is that I'm not using the default "Administrator" name for the real admin user, yet most of the attempts were made to the real admin account (XZZ, in my example).
Could it be a hacking activity, or simply the MBSA software I installed was doing some routine checks?
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Apparently it was caused by MBSA as I first suspected. and thanks once more for pointing out the SIDs issue, I didn't know of that before.
xzz