kbtechnical
asked on
Administrator Password changed without admin knowledge. 2003 server question on event log
Hi all,
Had an administrator call me to say that his administrator password had been changed. He assumed that it was changed because the regular password did not work. He logged in as the backup admin account and changed it back to what it was and all was well. The same thing happened again this morning. I cannot see any damage, misc files or weird folders. It might be corruption but I can't see just one account being corrupted. He says that a few people have the admin password. My gut feeling is to have him change the admin password and not give it out.
But I want to see if it was changed and by who. I see these following event id's in the security log and I'm a little confused.
I see this ID642 at 9/12/2010 7:03:32 AM
User Account Changed:
Target Account Name: Administrator
Target Domain: xxx
Target Account ID: xxx\administrator
Caller User Name: xxxSERVER$
Caller Domain: xxx
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 9/12/2010 7:03:32 AM
this seems to indicate that a system process changed the password?
This is different than the following 642 entry where he changed the password back
User Account Changed:
Target Account Name: Administrator
Target Domain: xxx
Target Account ID: xxx\administrator
Caller User Name: administrator
Caller Domain: xxx
Caller Logon ID: (0x0,0x28B276A)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 9/13/2010 10:20:41 AM
In this entry It says that administrator changed the administrator password, but he used another login name with admin privileges. I was expecting the actual login name in the event ID.
If there is unauthorized access going on I would like to nip it in the bud. If it's just a question of an employee changing it (either my mistake or on purpose) I would like to have them reset it to a different password altogether.
I would like some opinions from more experienced security people about what these logs seem to suggest. Google is not really turning up anything.
thanks all
Had an administrator call me to say that his administrator password had been changed. He assumed that it was changed because the regular password did not work. He logged in as the backup admin account and changed it back to what it was and all was well. The same thing happened again this morning. I cannot see any damage, misc files or weird folders. It might be corruption but I can't see just one account being corrupted. He says that a few people have the admin password. My gut feeling is to have him change the admin password and not give it out.
But I want to see if it was changed and by who. I see these following event id's in the security log and I'm a little confused.
I see this ID642 at 9/12/2010 7:03:32 AM
User Account Changed:
Target Account Name: Administrator
Target Domain: xxx
Target Account ID: xxx\administrator
Caller User Name: xxxSERVER$
Caller Domain: xxx
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 9/12/2010 7:03:32 AM
this seems to indicate that a system process changed the password?
This is different than the following 642 entry where he changed the password back
User Account Changed:
Target Account Name: Administrator
Target Domain: xxx
Target Account ID: xxx\administrator
Caller User Name: administrator
Caller Domain: xxx
Caller Logon ID: (0x0,0x28B276A)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 9/13/2010 10:20:41 AM
In this entry It says that administrator changed the administrator password, but he used another login name with admin privileges. I was expecting the actual login name in the event ID.
If there is unauthorized access going on I would like to nip it in the bud. If it's just a question of an employee changing it (either my mistake or on purpose) I would like to have them reset it to a different password altogether.
I would like some opinions from more experienced security people about what these logs seem to suggest. Google is not really turning up anything.
thanks all
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It was probably done while logged in as that user, so you wouldn't have anyway to know what person actually did the changing.
ASKER
Agreed. I will be using this incident to tighten things up. I was curious as to the different caller user names.
The caller username with the server name in it usually means the user locked themselves out. That could have been what actually happened.
ASKER
I looked at their account lockout policy. It is set to Zero so it should never lock out.
Also scan for malware. Some malware are targeting system admin passwords and changing them for a trojan to allow system administrator priveleges as well as a back door...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
They do have Norton corporate with uptodate defs but i would not hurt to download kaspersky or something like that for a free trial.
their password is 9 characters long, 3 capitol letters 1 numeral and the rest lower case.
did a quick scan with malware bytes and it was clean. I'm kind of limited to what I can do during the day as its a production server.
their password is 9 characters long, 3 capitol letters 1 numeral and the rest lower case.
did a quick scan with malware bytes and it was clean. I'm kind of limited to what I can do during the day as its a production server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.