Change in Security Account Manager

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

I noticed the following events logged in one of my servers at an odd hour
last night. Can anyone provide more detail as to what they can be
interpreted as, and is this a possible intrusion?

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 737064
Operation ID: {0,18509278}
Process ID: 372
Primary User Name: SERVER01$
Primary Domain: DOMAINA
Primary Logon ID: (0x0,0x3E7)
Client User Name: SERVER01$
Client Domain: DOMAINA
Client Logon ID: (0x0,0x3E7)
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain

Privileges -




Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_DOMAIN
Object Name: SERVER01
New Handle ID: 791352
Operation ID: {0,18509279}
Process ID: 372
Primary User Name: SERVER01$
Primary Domain: DOMAINA
Primary Logon ID: (0x0,0x3E7)
Client User Name: SERVER01$
Client Domain: DOMAINA
Client Logon ID: (0x0,0x3E7)
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
LookupIDs
AdministerServer

Privileges -



Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 791352
Process ID: 372


Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 10/13/2005
Time: 2:53:25 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 737064
Process ID: 372
 
You are seeing the System account on Server01 get handles to
its SAM that allow it to do just about anything to it
 
It looks like the server accessed its SAM which is where local user and groups
info is stored. That in itself would not necessarily be a concern. I would check
the security log for logon and account logon events. If unexplained logons are
shown or there are a lot of failed logons that could be a reason for
ncern. --- Steve
 
Back
Top