«

Periodically, I get these entries in my win2000 Server Security Log. It
appears someone logs on via the machine account and then tries to change the
password of the disabled TSInternet User.

It seems as though my security is dong the job, but are there any
enhancements that I could do in security?

Log files are as follows:


--------------------------------------------------------------------------


EVENT #
43531

EVENT LOG
Security

EVENT TYPE
Audit Success

SOURCE
Security

CATEGORY
Privilege Use

EVENT ID
577

USERNAME
NT AUTHORITY\SYSTEM

COMPUTERNAME
MYCOMPUTER

TIME
1/28/2005 7:20:38 PM

MESSAGE
Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: MYCOMPUTER$
Primary Domain: mycomputergrp
Primary Logon ID: (0x0,0x3E7)
Client User Name: MYCOMPUTER$
Client Domain: mycomputergrp
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege


--------------------------------------------------------------------------


EVENT #
43532

EVENT LOG
Security

EVENT TYPE
Audit Success

SOURCE
Security

CATEGORY
Object Access

EVENT ID
560

USERNAME
NT AUTHORITY\SYSTEM

COMPUTERNAME
MYCOMPUTER

TIME
1/28/2005 7:20:38 PM

MESSAGE
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 1056976
Operation ID: {0,15904413}
Process ID: 272
Primary User Name: MYCOMPUTER$
Primary Domain: mycomputergrp
Primary Logon ID: (0x0,0x3E7)
Client User Name: MYCOMPUTER$
Client Domain: mycomputergrp
Client Logon ID: (0x0,0x3E7)
Accesses DELETE

READ_CONTROL

WRITE_DAC

WRITE_OWNER

ConnectToServer

ShutdownServer

InitializeServer

CreateDomain

EnumerateDomains

LookupDomain


Privileges -


--------------------------------------------------------------------------


EVENT #
43533

EVENT LOG
Security

EVENT TYPE
Audit Success

SOURCE
Security

CATEGORY
Account Management

EVENT ID
627

USERNAME
NT AUTHORITY\SYSTEM

COMPUTERNAME
MYCOMPUTER

TIME
1/28/2005 7:20:38 PM

MESSAGE
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: MYCOMPUTER
Target Account ID: MYCOMPUTER\TsInternetUser
Caller User Name: MYCOMPUTER$
Caller Domain: mycomputergrp
Caller Logon ID: (0x0,0x3E7)
Privileges: -

On Sat, 29 Jan 2005 17:10:54 GMT, "ed" <> wrote:

>Periodically, I get these entries in my win2000 Server Security Log. It
>appears someone logs on via the machine account and then tries to change the
>password of the disabled TSInternet User.
###########################
I'm not sure what you mean by "machine account"
Can you explain that?
donnie.

ed wrote:

> Periodically, I get these entries in my win2000 Server Security Log. It
> appears someone logs on via the machine account and then tries to change the
> password of the disabled TSInternet User.
>
> It seems as though my security is dong the job, but are there any
> enhancements that I could do in security?
>
> Log files are as follows:
>
> --------------------------------------------------------------------------
>
>
> EVENT #
> 43533
>
> EVENT LOG
> Security
>
> EVENT TYPE
> Audit Success
>
> SOURCE
> Security
>
> CATEGORY
> Account Management
>
> EVENT ID
> 627
>
> USERNAME
> NT AUTHORITY\SYSTEM
>
> COMPUTERNAME
> MYCOMPUTER
>
> TIME
> 1/28/2005 7:20:38 PM
>
> MESSAGE
> Change Password Attempt:
> Target Account Name: TsInternetUser
> Target Domain: MYCOMPUTER
> Target Account ID: MYCOMPUTER\TsInternetUser
> Caller User Name: MYCOMPUTER$
> Caller Domain: mycomputergrp
> Caller Logon ID: (0x0,0x3E7)
> Privileges: -

Blimey! You didn't look very far did you?

http://support.microsoft.com/default...244057&sd=tech

Excerpt:-
CAUSE
The TsInternetUser account is used by the Terminal Services Internet
Connector License. When Internet Connector Licensing is enabled, a
Windows 2000-based server accepts 200 anonymous-only connections.
Terminal Services clients are not prompted with a logon dialog box; they
are logged on automatically with the TsInternetUser account. The success
audit listed above is generated daily as the system changes the password
used by the TsInternetUser account for security purposes. This is
expected behavior on a server with Terminal Services Internet Connector
Licensing enabled. Currently, this event is logged when Internet
Connector Licensing is not enabled.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products
that are listed at the beginning of this article.

--------------------------------------------------------------------------------

Michael wrote: Blimey! You didn't look very far did you?

Thank You!.

Actually my searches focused more on the LsaRegisterLogonProcess() that the
actual terminal services.


>
> http://support.microsoft.com/default...244057&sd=tech
>
> Excerpt:-
> CAUSE
> The TsInternetUser account is used by the Terminal Services Internet
> Connector License. When Internet Connector Licensing is enabled, a Windows
> 2000-based server accepts 200 anonymous-only connections. Terminal
> Services clients are not prompted with a logon dialog box; they are logged
> on automatically with the TsInternetUser account. The success audit listed
> above is generated daily as the system changes the password used by the
> TsInternetUser account for security purposes. This is expected behavior on
> a server with Terminal Services Internet Connector Licensing enabled.
> Currently, this event is logged when Internet Connector Licensing is not
> enabled.
> STATUS
> Microsoft has confirmed that this is a problem in the Microsoft products
> that are listed at the beginning of this article.
>
> --------------------------------------------------------------------------------
>