Re: SAM events

From: Steven L Umbach (sumbach55_at_ameritech.net)
Date: 11/11/03 

Date: Tue, 11 Nov 2003 20:24:06 GMT

When you enable auditing of object access, a lot of system access events are
recorded. That does not look like anyhting malicious to me. Looks like
someone changed their password and if you have auditing of account
management enabled, a matching event may show there. --- Steve

"Boris Skoblo" <borsk@tx.technion.ac.il> wrote in message
news:boqub3$kqo$1@news.iucc.ac.il...
> Hi All,
>
> What 3 sequential events in security log Win 2000 server can mean?
>
> ------
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 11/6/2003
> Time: 4:48:28 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_SERVER
> Object Name: SAM
> New Handle ID: 803104
> Operation ID: {0,84797490}
> Process ID: 384
> Primary User Name: SERVER$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: SERVER$
> Client Domain: DOMAIN
> Client Logon ID: (0x0,0x3E7)
> Accesses DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> ConnectToServer
> ShutdownServer
> InitializeServer
> CreateDomain
> EnumerateDomains
> LookupDomain
>
> Privileges -
>
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 11/6/2003
> Time: 4:48:28 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_DOMAIN
> Object Name: SERVER
> New Handle ID: 896528
> Operation ID: {0,84797491}
> Process ID: 384
> Primary User Name: SERVER$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: SERVER$
> Client Domain: DOMAIN
> Client Logon ID: (0x0,0x3E7)
> Accesses ReadPasswordParameters
>
> Privileges -
>
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 11/6/2003
> Time: 4:48:28 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_USER
> Object Name: DOMAINS\Account\Users\000003E8
> New Handle ID: 1233120
> Operation ID: {0,84797496}
> Process ID: 384
> Primary User Name: SERVER$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: SERVER$
> Client Domain: DOMAIN
> Client Logon ID: (0x0,0x3E7)
> Accesses ChangePassword (with knowledge of old password)
>
> Privileges -
>
> ----
> Boris Skoblo
>
> System Administrator
>
>

Relevant Pages

  • Re: Event ID 565
    ... I recently demoted it to a member server. ... Primary User Name: TGCS-PHI4-NT$ ... Primary Logon ID: ... Client User Name: TGCS-PHI1-NT$ ...
    (microsoft.public.win2000.security)
  • Re: Audit Failures/READ_CONTROL SYNCHRONIZE
    ... The 560 object access event does not record what actions were performed on ... it records what accesses were requested to the file. ... > Primary Logon ID: ... > Client User Name: - ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: WMI / DCOM ACCESS DENIED
    ... I finally started logging Object Access and looks like Network Service ... Primary Logon ID: ... Client User Name: NETWORK SERVICE ... Query information from service ...
    (microsoft.public.security)
  • Auditing Access to files??
    ... Within about 10 minutes I will get 8000 + entries in the Security ... Object Server: Security ... Primary Logon ID: ... Client User Name: - ...
    (microsoft.public.win2000.security)
  • Re: Why does this keep happening...
    ... here's what's showing up in my security log in the event ... Object Server: Security ... Primary Logon ID: ... Client User Name: - ...
    (microsoft.public.inetserver.iis.security)