Sign in with
Sign up | Sign in
Your question

some is trying to manipulate my server

Last response: in Windows 2000/NT
Share
February 11, 2005 1:31:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

As a regular revision of the server I found strange messages in my Event
viewer. Maybe you can help me figure them out. Because of company policy I
had to create a regular account for a user Eva. I turned on a lot of
auditoring events. Yesterday Eva failed to access the SERVICES.EXE process
to stop and start a service.
My server is called 27MAYO. What does it mean when I see "Primary User Name:
27MAYO$.
Then I get the message:
Server Object: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain

The same thing is done for object name 27MAYO:
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
LookupIDs
AdministerServer

Then they restarted the server. And logged on but they only message that I
get from loggin on this time is that of KSecDD and it doesn't say what user
name is logged on.

Audit Policy Change:
New Policy:
Success Failure
+ + System
+ + Logon/Logoff
- - Object Access
+ + Privilege Use
- - Detailed Tracking
+ + Policy Change
+ + Account Management
+ + System
Changed By: 27MAYO$
User Name: %15 Domain Name: PERNO
Logon ID: (0X0,0X3E7)

Could anyone can explain to me how could have they done this. Thank you.

Frank

More about : manipulate server

Anonymous
a b 8 Security
February 11, 2005 4:01:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

27MAYO$ indicates that the event being logged is based on the computer
accessing an object. $ after a name means that the name is for a computers.
The computer is accessing the local user database [sam] to access user/group
information and this is normal. In my opinion you should enable auditing of
object access only if you have a particular reason like to enable auditing
of a folder or file or a application or user access problem. It is not
unusual to see failures in object access in normal computer operation and
you will go crazy if you try to track them all down. Instead concentrate on
checking for failed logon/account logons, unexplained/failed changes in
policy, and unexplained/failed changes for account management events
assuming those categories are enabled for auditing. --- Steve



"Frank" <frank673@hotmail.com> wrote in message
news:uB4kmcFEFHA.2032@tk2msftngp13.phx.gbl...
> Hi,
>
> As a regular revision of the server I found strange messages in my Event
> viewer. Maybe you can help me figure them out. Because of company policy I
> had to create a regular account for a user Eva. I turned on a lot of
> auditoring events. Yesterday Eva failed to access the SERVICES.EXE process
> to stop and start a service.
> My server is called 27MAYO. What does it mean when I see "Primary User
> Name: 27MAYO$.
> Then I get the message:
> Server Object: Security Account Manager
> Object Type: SAM_SERVER
> Object Name: SAM
> Accesses: DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> ConnectToServer
> ShutdownServer
> InitializeServer
> CreateDomain
> EnumerateDomains
> LookupDomain
>
> The same thing is done for object name 27MAYO:
> Accesses: DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> ReadPasswordParameters
> WritePasswordParameters
> ReadOtherParameters
> WriteOtherParameters
> CreateUser
> CreateLocalGroup
> GetLocalGroupMembership
> ListAccounts
> LookupIDs
> AdministerServer
>
> Then they restarted the server. And logged on but they only message that I
> get from loggin on this time is that of KSecDD and it doesn't say what
> user name is logged on.
>
> Audit Policy Change:
> New Policy:
> Success Failure
> + + System
> + + Logon/Logoff
> - - Object Access
> + + Privilege Use
> - - Detailed Tracking
> + + Policy Change
> + + Account Management
> + + System
> Changed By: 27MAYO$
> User Name: %15 Domain Name: PERNO
> Logon ID: (0X0,0X3E7)
>
> Could anyone can explain to me how could have they done this. Thank you.
>
> Frank
>
>
!