?
Solved

Event ID 642, 627, 644, 671 back-to-back-to-back on local accounts once a week

Posted on 2008-11-10
1
Medium Priority
?
767 Views
Last Modified: 2013-12-04
Once a week, usually on the weekend around midnight or so, I have a Windows 2003 server that logs the following events back-to-back-to-back (within span of about 1 minute).

642 (Success) - User Account Changed
627 (Failure) - Change Password Attempt
644 (Success) - User Account Locked Out
671 (Success) - User Account Unlocked

The events happen for each local account including Administrator, Guest, IWAM_, IUSR_, SUPPORT_, ASPNET, etc. successively.

I've checked for any scheduled tasks or other processes that might be firing off and causing this, but can't find any correlation.  It doesn't happen at the same time every time.  It usually happens over the weekend, but not always.

Any ideas?
0
Comment
Question by:seekoswm
1 Comment
 

Accepted Solution

by:
seekoswm earned 0 total points
ID: 22925823
Well, after much research today, I've been able to track it down to a Microsoft Baseline Security Analyzer (MBSA) v1.2 scan that appears to be running.  I'm not sure why it is running at random intervals, but I ran it manually and got the same series of events I've been getting on the weekends.

I found the following event in the Application log (around the time of the pervious failures) which tipped me off:

Event Type:      Information
Event Source:      MBSA
Event Category:      None
Event ID:      1
Date:            11/9/2008
Time:            12:30:51 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER1
Description:
Security analysis complete.
Scanned from 192.168.0.10.
Microsoft Baseline Security Analyzer version 1.2.3316.1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question