Machine account (MyMachine$) logon process then tries to change TSInternet User Passsword

Discussion in 'Computer Security' started by ed, Jan 29, 2005.

  1. ed

    ed Guest

    Periodically, I get these entries in my win2000 Server Security Log. It
    appears someone logs on via the machine account and then tries to change the
    password of the disabled TSInternet User.

    It seems as though my security is dong the job, but are there any
    enhancements that I could do in security?

    Log files are as follows:


    --------------------------------------------------------------------------


    EVENT #
    43531

    EVENT LOG
    Security

    EVENT TYPE
    Audit Success

    SOURCE
    Security

    CATEGORY
    Privilege Use

    EVENT ID
    577

    USERNAME
    NT AUTHORITY\SYSTEM

    COMPUTERNAME
    MYCOMPUTER

    TIME
    1/28/2005 7:20:38 PM

    MESSAGE
    Privileged Service Called:
    Server: NT Local Security Authority / Authentication Service
    Service: LsaRegisterLogonProcess()
    Primary User Name: MYCOMPUTER$
    Primary Domain: mycomputergrp
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: MYCOMPUTER$
    Client Domain: mycomputergrp
    Client Logon ID: (0x0,0x3E7)
    Privileges: SeTcbPrivilege


    --------------------------------------------------------------------------


    EVENT #
    43532

    EVENT LOG
    Security

    EVENT TYPE
    Audit Success

    SOURCE
    Security

    CATEGORY
    Object Access

    EVENT ID
    560

    USERNAME
    NT AUTHORITY\SYSTEM

    COMPUTERNAME
    MYCOMPUTER

    TIME
    1/28/2005 7:20:38 PM

    MESSAGE
    Object Open:
    Object Server: Security Account Manager
    Object Type: SAM_SERVER
    Object Name: SAM
    New Handle ID: 1056976
    Operation ID: {0,15904413}
    Process ID: 272
    Primary User Name: MYCOMPUTER$
    Primary Domain: mycomputergrp
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: MYCOMPUTER$
    Client Domain: mycomputergrp
    Client Logon ID: (0x0,0x3E7)
    Accesses DELETE

    READ_CONTROL

    WRITE_DAC

    WRITE_OWNER

    ConnectToServer

    ShutdownServer

    InitializeServer

    CreateDomain

    EnumerateDomains

    LookupDomain


    Privileges -


    --------------------------------------------------------------------------


    EVENT #
    43533

    EVENT LOG
    Security

    EVENT TYPE
    Audit Success

    SOURCE
    Security

    CATEGORY
    Account Management

    EVENT ID
    627

    USERNAME
    NT AUTHORITY\SYSTEM

    COMPUTERNAME
    MYCOMPUTER

    TIME
    1/28/2005 7:20:38 PM

    MESSAGE
    Change Password Attempt:
    Target Account Name: TsInternetUser
    Target Domain: MYCOMPUTER
    Target Account ID: MYCOMPUTER\TsInternetUser
    Caller User Name: MYCOMPUTER$
    Caller Domain: mycomputergrp
    Caller Logon ID: (0x0,0x3E7)
    Privileges: -
     
    ed, Jan 29, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CJH
    Replies:
    0
    Views:
    1,927
  2. ed
    Replies:
    3
    Views:
    4,769
  3. Fu Schnickens

    Changing file from User Process to System process

    Fu Schnickens, Dec 28, 2006, in forum: Computer Support
    Replies:
    3
    Views:
    514
    Plato
    Dec 30, 2006
  4. Richard
    Replies:
    1
    Views:
    373
  5. Jeroen Wijnands

    Re: Events: Logon vs Account Logon

    Jeroen Wijnands, Mar 6, 2006, in forum: MCSA
    Replies:
    0
    Views:
    647
    Jeroen Wijnands
    Mar 6, 2006
Loading...

Share This Page