Help: Event ID 627

From: Bluehades (anonymous_at_discussions.microsoft.com)
Date: 06/02/04 

Date: Wed, 2 Jun 2004 11:36:06 -0700

Hello's
I have a Windows 2003 server with RADIUS services provided by IAS. The RADIUS services are used by Wireless users & Dial-up users.
In my security log i noticed several unusual Event id 627 failure audits.

There were several failed change password attempts on the IUSR account, the IWAM account & even more suspicious on the Administrator account, & the Guest account.
Are these signs that someone is attempting to modify the local accounts on the Server? How can i detect the source of these attempts?
Examples of failed audits below.

Many thanks.
Blue.

5/24/2004
12:00:06 PM
Change Password Attempt:
         Target Account Name: Administrator
         Target Domain: SERVERNAME
         Target Account ID: SERVERNAME\Administrator
         Caller User Name: SERVERNAME$
         Caller Domain: STLCOPNT
         Caller Logon ID: (0x0,0x3E7)
         Privileges: -

5/24/2004
12:00:06 PM
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account: Guest
 Source Workstation: SERVERNAME
 Error Code: 0xC0000072

5/24/2004
12:00:06 PM
Change Password Attempt:
         Target Account Name: IUSR_SERVERNAME
         Target Domain: SERVERNAME
         Target Account ID: SERVERNAME\IUSR_SERVERNAME
         Caller User Name: SERVERNAME$
         Caller Domain: STLCOPNT
         Caller Logon ID: (0x0,0x3E7)
         Privileges: -