Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Administrator Password changed without admin knowledge.  2003 server question on event log

Posted on 2010-09-13
10
Medium Priority
?
432 Views
Last Modified: 2012-05-10
Hi all,
           Had an administrator call me to say that his administrator password had been changed.  He assumed that it was changed because the regular password did not work.  He logged in as the backup admin account and changed it back to what it was and all was well.  The same thing happened again this morning.  I cannot see any damage, misc files or weird folders.  It might be corruption but I can't see just one account being corrupted.  He says that a few people have the admin password.  My gut feeling is to have him change the admin password and not give it out.  

But I want to see if it was changed and by who.  I see these following event id's in the security log and I'm a little confused.

I see this ID642 at 9/12/2010 7:03:32 AM

User Account Changed:
       Target Account Name:      Administrator
       Target Domain:      xxx
       Target Account ID:      xxx\administrator
       Caller User Name:      xxxSERVER$
       Caller Domain:      xxx
       Caller Logon ID:      (0x0,0x3E7)
       Privileges:      -
 Changed Attributes:
       Sam Account Name:      -
       Display Name:      <value not set>
       User Principal Name:      -
       Home Directory:      <value not set>
       Home Drive:      <value not set>
       Script Path:      <value not set>
       Profile Path:      <value not set>
       User Workstations:      <value not set>
       Password Last Set:      9/12/2010 7:03:32 AM

this seems to indicate that a system process changed the password?

This is different than the following 642 entry where he changed the password back

User Account Changed:
       Target Account Name:      Administrator
       Target Domain:      xxx
       Target Account ID:      xxx\administrator
       Caller User Name:      administrator
       Caller Domain:      xxx
       Caller Logon ID:      (0x0,0x28B276A)
       Privileges:      -
 Changed Attributes:
       Sam Account Name:      -
       Display Name:      -
       User Principal Name:      -
       Home Directory:      -
       Home Drive:      -
       Script Path:      -
       Profile Path:      -
       User Workstations:      -
       Password Last Set:      9/13/2010 10:20:41 AM

In this entry It says that administrator changed the administrator password, but he used another login name with admin privileges.  I was expecting the actual login name in the event ID.


If there is unauthorized access going on I would like to nip it in the bud.  If it's just a question of an employee changing it (either my mistake or on purpose) I would like to have them reset it to a different password altogether.  


I would like some opinions from more experienced security people about what these logs seem to suggest.  Google is not really turning up anything.

thanks all
0
Comment
Question by:kbtechnical
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 21

Accepted Solution

by:
chapmanjw earned 672 total points
ID: 33664618
It sounds like someone changed the password without him knowing.  It is best practice for each person to have their own username and password that DO NOT get written down or shared with anyone.  

I would suggest changing the password and requiring each user to have their own username/password.
0
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33664628
It was probably done while logged in as that user, so you wouldn't have anyway to know what person actually did the changing.
0
 

Author Comment

by:kbtechnical
ID: 33664758
Agreed.  I will be using this incident to tighten things up.  I was curious as to the different caller user names.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 21

Expert Comment

by:chapmanjw
ID: 33664787
The caller username with the server name in it usually means the user locked themselves out.  That could have been what actually happened.  
0
 

Author Comment

by:kbtechnical
ID: 33665166
I looked at their account lockout policy.  It is set to Zero so it should never lock out.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 33665744
Also scan for malware. Some malware are targeting system admin passwords and changing them for a trojan to allow system administrator priveleges as well as a back door...
0
 

Assisted Solution

by:DivineCS
DivineCS earned 664 total points
ID: 33666371
Make sure the password is secure.  Some viruses can crack simple passwords. AKA. Dictionary words.  If you would like to use a simple word, make it more secure replace S's with $'s and A's with @ signs or uses mix of caps and lower case maybe even using numbers as l3TteR5.  
0
 

Author Comment

by:kbtechnical
ID: 33666701
They do have Norton corporate with uptodate defs but i would not hurt to download kaspersky or something like that for a free trial.

their password is 9 characters long, 3 capitol letters 1 numeral and the rest lower case.

did a quick scan with malware bytes and it was clean.  I'm kind of limited to what I can do during the day as its a production server.
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 664 total points
ID: 33666957
no problem. Malwarebytes is pretty good at removing and detecting malware.

My guess is, this is an inside job... with someone who knows the admin password.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question