Machine account (MyMachine$) logon process then tries to change TSInternet User Passsword

01-29-2005

Periodically, I get these entries in my win2000 Server Security Log. It
appears someone logs on via the machine account and then tries to change the
password of the disabled TSInternet User.

It seems as though my security is dong the job, but are there any
enhancements that I could do in security?

Log files are as follows:

--------------------------------------------------------------------------

EVENT #
43531

EVENT LOG
Security

EVENT TYPE
Audit Success

SOURCE
Security

CATEGORY
Privilege Use

EVENT ID
577

USERNAME
NT AUTHORITY\SYSTEM

COMPUTERNAME
MYCOMPUTER

TIME
1/28/2005 7:20:38 PM

MESSAGE
Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: MYCOMPUTER$
Primary Domain: mycomputergrp
Primary Logon ID: (0x0,0x3E7)
Client User Name: MYCOMPUTER$
Client Domain: mycomputergrp
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege

--------------------------------------------------------------------------

EVENT #
43532

EVENT LOG
Security

EVENT TYPE
Audit Success

SOURCE
Security

CATEGORY
Object Access

EVENT ID
560

USERNAME
NT AUTHORITY\SYSTEM

COMPUTERNAME
MYCOMPUTER

TIME
1/28/2005 7:20:38 PM

MESSAGE
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 1056976
Operation ID: {0,15904413}
Process ID: 272
Primary User Name: MYCOMPUTER$
Primary Domain: mycomputergrp
Primary Logon ID: (0x0,0x3E7)
Client User Name: MYCOMPUTER$
Client Domain: mycomputergrp
Client Logon ID: (0x0,0x3E7)
Accesses DELETE

READ_CONTROL

WRITE_DAC

WRITE_OWNER

ConnectToServer

ShutdownServer

InitializeServer

CreateDomain

EnumerateDomains

LookupDomain

Privileges -

--------------------------------------------------------------------------

EVENT #
43533

EVENT LOG
Security

EVENT TYPE
Audit Success

SOURCE
Security

CATEGORY
Account Management

EVENT ID
627

USERNAME
NT AUTHORITY\SYSTEM

COMPUTERNAME
MYCOMPUTER

TIME
1/28/2005 7:20:38 PM

MESSAGE
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: MYCOMPUTER
Target Account ID: MYCOMPUTER\TsInternetUser
Caller User Name: MYCOMPUTER$
Caller Domain: mycomputergrp
Caller Logon ID: (0x0,0x3E7)
Privileges: -

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Re: Events: Logon vs Account Logon	Jeroen Wijnands	MCSA	0	03-06-2006 03:45 PM
Question Help: Logon vs Account Logon, Local Logon vs Authentication	CJH	Microsoft Certification	0	01-04-2006 04:03 PM
Help. SessionID is x then y then x then y	BodiKlamph@gmail.com	ASP General	0	09-03-2005 03:02 PM
Machine account (MyMachine$) logon process then tries to change TSInternet User Passsword	ed	Computer Security	3	01-30-2005 04:52 PM
XP admin passsword	Al Grant	NZ Computing	7	09-25-2004 11:12 PM