Machine account (MyMachine$) logon process then tries to change TSInternet User Passsword

Discussion in 'Computer Security' started by ed, Jan 29, 2005.

  1. ed

    ed Guest

    Periodically, I get these entries in my win2000 Server Security Log. It
    appears someone logs on via the machine account and then tries to change the
    password of the disabled TSInternet User.

    It seems as though my security is dong the job, but are there any
    enhancements that I could do in security?

    Log files are as follows:


    --------------------------------------------------------------------------


    EVENT #
    43531

    EVENT LOG
    Security

    EVENT TYPE
    Audit Success

    SOURCE
    Security

    CATEGORY
    Privilege Use

    EVENT ID
    577

    USERNAME
    NT AUTHORITY\SYSTEM

    COMPUTERNAME
    MYCOMPUTER

    TIME
    1/28/2005 7:20:38 PM

    MESSAGE
    Privileged Service Called:
    Server: NT Local Security Authority / Authentication Service
    Service: LsaRegisterLogonProcess()
    Primary User Name: MYCOMPUTER$
    Primary Domain: mycomputergrp
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: MYCOMPUTER$
    Client Domain: mycomputergrp
    Client Logon ID: (0x0,0x3E7)
    Privileges: SeTcbPrivilege


    --------------------------------------------------------------------------


    EVENT #
    43532

    EVENT LOG
    Security

    EVENT TYPE
    Audit Success

    SOURCE
    Security

    CATEGORY
    Object Access

    EVENT ID
    560

    USERNAME
    NT AUTHORITY\SYSTEM

    COMPUTERNAME
    MYCOMPUTER

    TIME
    1/28/2005 7:20:38 PM

    MESSAGE
    Object Open:
    Object Server: Security Account Manager
    Object Type: SAM_SERVER
    Object Name: SAM
    New Handle ID: 1056976
    Operation ID: {0,15904413}
    Process ID: 272
    Primary User Name: MYCOMPUTER$
    Primary Domain: mycomputergrp
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: MYCOMPUTER$
    Client Domain: mycomputergrp
    Client Logon ID: (0x0,0x3E7)
    Accesses DELETE

    READ_CONTROL

    WRITE_DAC

    WRITE_OWNER

    ConnectToServer

    ShutdownServer

    InitializeServer

    CreateDomain

    EnumerateDomains

    LookupDomain


    Privileges -


    --------------------------------------------------------------------------


    EVENT #
    43533

    EVENT LOG
    Security

    EVENT TYPE
    Audit Success

    SOURCE
    Security

    CATEGORY
    Account Management

    EVENT ID
    627

    USERNAME
    NT AUTHORITY\SYSTEM

    COMPUTERNAME
    MYCOMPUTER

    TIME
    1/28/2005 7:20:38 PM

    MESSAGE
    Change Password Attempt:
    Target Account Name: TsInternetUser
    Target Domain: MYCOMPUTER
    Target Account ID: MYCOMPUTER\TsInternetUser
    Caller User Name: MYCOMPUTER$
    Caller Domain: mycomputergrp
    Caller Logon ID: (0x0,0x3E7)
    Privileges: -
     
    ed, Jan 29, 2005
    #1
    1. Advertising

  2. ed

    donnie Guest

    On Sat, 29 Jan 2005 17:10:54 GMT, "ed" <> wrote:

    >Periodically, I get these entries in my win2000 Server Security Log. It
    >appears someone logs on via the machine account and then tries to change the
    >password of the disabled TSInternet User.

    ###########################
    I'm not sure what you mean by "machine account"
    Can you explain that?
    donnie.
     
    donnie, Jan 30, 2005
    #2
    1. Advertising

  3. ed

    Mike Guest

    Re: Machine account (MyMachine$) logon process then tries to changeTSInternet User Passsword

    ed wrote:

    > Periodically, I get these entries in my win2000 Server Security Log. It
    > appears someone logs on via the machine account and then tries to change the
    > password of the disabled TSInternet User.
    >
    > It seems as though my security is dong the job, but are there any
    > enhancements that I could do in security?
    >
    > Log files are as follows:
    >
    > --------------------------------------------------------------------------
    >
    >
    > EVENT #
    > 43533
    >
    > EVENT LOG
    > Security
    >
    > EVENT TYPE
    > Audit Success
    >
    > SOURCE
    > Security
    >
    > CATEGORY
    > Account Management
    >
    > EVENT ID
    > 627
    >
    > USERNAME
    > NT AUTHORITY\SYSTEM
    >
    > COMPUTERNAME
    > MYCOMPUTER
    >
    > TIME
    > 1/28/2005 7:20:38 PM
    >
    > MESSAGE
    > Change Password Attempt:
    > Target Account Name: TsInternetUser
    > Target Domain: MYCOMPUTER
    > Target Account ID: MYCOMPUTER\TsInternetUser
    > Caller User Name: MYCOMPUTER$
    > Caller Domain: mycomputergrp
    > Caller Logon ID: (0x0,0x3E7)
    > Privileges: -


    Blimey! You didn't look very far did you?

    http://support.microsoft.com/default.aspx?scid=kb;en-us;244057&sd=tech

    Excerpt:-
    CAUSE
    The TsInternetUser account is used by the Terminal Services Internet
    Connector License. When Internet Connector Licensing is enabled, a
    Windows 2000-based server accepts 200 anonymous-only connections.
    Terminal Services clients are not prompted with a logon dialog box; they
    are logged on automatically with the TsInternetUser account. The success
    audit listed above is generated daily as the system changes the password
    used by the TsInternetUser account for security purposes. This is
    expected behavior on a server with Terminal Services Internet Connector
    Licensing enabled. Currently, this event is logged when Internet
    Connector Licensing is not enabled.
    STATUS
    Microsoft has confirmed that this is a problem in the Microsoft products
    that are listed at the beginning of this article.

    --------------------------------------------------------------------------------
     
    Mike, Jan 30, 2005
    #3
  4. ed

    ed Guest

    Michael wrote: Blimey! You didn't look very far did you?

    Thank You!.

    Actually my searches focused more on the LsaRegisterLogonProcess() that the
    actual terminal services.


    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;244057&sd=tech
    >
    > Excerpt:-
    > CAUSE
    > The TsInternetUser account is used by the Terminal Services Internet
    > Connector License. When Internet Connector Licensing is enabled, a Windows
    > 2000-based server accepts 200 anonymous-only connections. Terminal
    > Services clients are not prompted with a logon dialog box; they are logged
    > on automatically with the TsInternetUser account. The success audit listed
    > above is generated daily as the system changes the password used by the
    > TsInternetUser account for security purposes. This is expected behavior on
    > a server with Terminal Services Internet Connector Licensing enabled.
    > Currently, this event is logged when Internet Connector Licensing is not
    > enabled.
    > STATUS
    > Microsoft has confirmed that this is a problem in the Microsoft products
    > that are listed at the beginning of this article.
    >
    > --------------------------------------------------------------------------------
    >
     
    ed, Jan 30, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CJH
    Replies:
    0
    Views:
    1,923
  2. ed
    Replies:
    0
    Views:
    610
  3. Fu Schnickens

    Changing file from User Process to System process

    Fu Schnickens, Dec 28, 2006, in forum: Computer Support
    Replies:
    3
    Views:
    512
    Plato
    Dec 30, 2006
  4. Richard
    Replies:
    1
    Views:
    372
  5. Jeroen Wijnands

    Re: Events: Logon vs Account Logon

    Jeroen Wijnands, Mar 6, 2006, in forum: MCSA
    Replies:
    0
    Views:
    642
    Jeroen Wijnands
    Mar 6, 2006
Loading...

Share This Page