Re: Guest Account being enabled

From: Jim Patton (jpatton@crouse.com)
Date: 06/12/02 

From: "Jim Patton" <jpatton@crouse.com>
Date: Wed, 12 Jun 2002 12:23:07 -0700

Jst started by going to the following link.
http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q322336#3
>-----Original Message-----
>You might just be my SAVIOR!!!
>
>Now this brings up a good question...One of the IT guys
>here....the one that was in charge of SQL....was let go a
>week ago. Therefore....I'm clueless when it comes to SQL.
>I went into the SQL Enterprise Manager...
>Right click on the server and went to properities
>there I see a securities tab. The authentication method
is
>set to use SQL and Windows NT...Should I change this to
>Windows NT only?
>The startup service is using the DOMAIN\Administrator
>account. Is this correct.
>Then under the server I see a security folder, in there I
>see logins...
>The following accounts exist:
>BUILTIN\Administrators
>SA
>DOMAIN\Administrator
>The BUILTIN\Administrators are using NT in the BUILTIN
>domain??? This right?
>the SA account is using SQL and the password is stared.
>The only thing is the radio buttons are grayed out to
>change SA to use NT???
>
>Any pointers?
>>-----Original Message-----
>>Do you have a SQL server? It sounds like the SPIDA worm
>>that I have been reading about. Go to www.cert.org.
The
>>SPIDA Worm does exactly what you are saying with respect
>>to the guest and Administrator group. Do you have
>>a "blank" password for the SQL "SA" account? If you
have
>>a SQL server, and have a blank "SA" password, and all
>this
>>stuff is happening to you, I would say you the SPIDA
worm
>>on your network.
>>
>>mick2767@hotmail.com
>>
>>
>>>-----Original Message-----
>>>Wanted to add a bit more thought here...
>>>
>>>I have a User Account named Administrator. I have the
>>user
>>>Administrator added to every group except Domain Guests.
>>>I have an Administrator Group and a Domain
Administrator
>>>Group. The user Administrator is in both of these
>groups,
>>>my username, and the exchange service username are also
>>in
>>>both of these groups. The password's all the same with
>>>respect to the Exchange service username and the
>>>Administrator. My username does not have the same
>>>password.
>>>
>>>?????
>>>
>>>
>>>>-----Original Message-----
>>>>When you say rename the Admin account....do you mean
>>>>delete the Admin account and create a new one???
>>>>
>>>>The Domain admin is not an account just a group....
>>>>
>>>>Starting to get really confused as to what to do
here...
>>>>
>>>>Is there a way to change the local admin password for
>>the
>>>>PDC and BDC's? I thought they were all one account.
>>There
>>>>is no local account just the Administrator account
from
>>>>the User Manager for the Domain.
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>Rename the Administrator account and see what
happens.
>>>Is
>>>>your local
>>>>>administrator password the same as your domain
>>>>administrator password?
>>>>>
>>>>>Ray
>>>>>
>>>>>"Jim Patton" <jpa{wZded#ed?j
.tton@crouse.com> wrote in message
>>>>>news:dfa601c21213$1f46fde0$39ef2ecf@TKMSFTNGXA08...
>>>>>> Ok....according to the event
>viewer.....Administrator
>>>is
>>>>>> changing the guest account. The times of the changes
>>>>>> appear to be happening anywhere from a two hour
>>>interval
>>>>>> to a 7 hour interval. I also noticed the
MACHINENAME$
>>>>>> passwords are being reset and changed. All of which
>>are
>>>>>> being done by Administrator.
>>>>>>
>>>>>> GOING NUTS OVER HERE!!! I'm picking these servers
>>apart
>>>>>> trying to figure out what the hell is
>happening....I'm
>>>>>> debating on have everyone in the company change
their
>>>>>> passwords and see if that does anything. I've also
>>>>looked
>>>>>> through the registry to find anything executing the
>>run
>>>>>> command, or net user command.....nothing there...
>>>>>>
>>>>>> HELP!!!
>>>>>>
>>>>>>
>>>>>> >-----Original Message-----
>>>>>> >Just a thought, but could it be something running
>on
>>>>your
>>>>>> computer? I have
>>>>>> >seen cases where something goes into the Run key
>that
>>>>>> manipulates user
>>>>>> >accounts. So,{wZoWHeO V each time
an
>admin logs in, account
>>>>>> changes are made. If you
>>>>>> >are auditing your domain's "User and Group
>>Management"
>>>>>> and "Security Policy
>>>>>> >Changes" for both Success and Failure, I think you
>>may
>>>>>> spot what is
>>>>>> >happening. Don't overlook thi
>.
>