Change in Security Account Manager

G

Guest

Hello,

I noticed the following events logged in one of my servers at an odd hour
last night. Can anyone provide more detail as to what they can be
interpreted as, and is this a possible intrusion?

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 737064
Operation ID: {0,18509278}
Process ID: 372
Primary User Name: SERVER01$
Primary Domain: DOMAINA
Primary Logon ID: (0x0,0x3E7)
Client User Name: SERVER01$
Client Domain: DOMAINA
Client Logon ID: (0x0,0x3E7)
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain

Privileges -




Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_DOMAIN
Object Name: SERVER01
New Handle ID: 791352
Operation ID: {0,18509279}
Process ID: 372
Primary User Name: SERVER01$
Primary Domain: DOMAINA
Primary Logon ID: (0x0,0x3E7)
Client User Name: SERVER01$
Client Domain: DOMAINA
Client Logon ID: (0x0,0x3E7)
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
LookupIDs
AdministerServer

Privileges -



Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 791352
Process ID: 372


Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 737064
Process ID: 372
 
R

Roger Abell [MVP]

You are seeing the System account on Server01 get handles to
its SAM that allow it to do just about anything to it
 
S

Steven Umbach

It looks like the server accessed its SAM which is where local user and groups
info is stored. That in itself would not necessarily be a concern. I would check
the security log for logon and account logon events. If unexplained logons are
shown or there are a lot of failed logons that could be a reason for
ncern. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SAM events 1
SC Manager 0
Help!Am I being hacked? 3
Security Log Multiple Success/Failure Audit records 1
event 578 1
audit 3
Unexplained 540 Events in Security log on W2K workstation in a dom 0
537 errors due to manual services being started 0

Top