G
Guest
Hi all,
Ran the Event Viewer this morning (don't do this very often),
and noticed that there are many Failure Audits having ID=627,
SE_AUDITID_USER_PWD_CHANGED. These are run from my machine,
having User IDs
[my machine name]\SUPPORT_388945a0
[my machine name]\HelpAssistant
[my machine name]\ASPNET
and one SUCCESS AUDIT for user
[my machine name]\Guest
One thing to note is that I had just run the MS Baseline Security
Analyzer 2 from the MS website.
The associated Help topic states:
....
User Action
If a single account has several password-change failures logged, it might be
under a password-guessing attack. Verify that such an attack is not
occurring. Otherwise, no user action is required.
If a single account has several password-change attempts logged, the user
might be trying to circumvent password-history policy.
....
Thanks,
Chris
Ran the Event Viewer this morning (don't do this very often),
and noticed that there are many Failure Audits having ID=627,
SE_AUDITID_USER_PWD_CHANGED. These are run from my machine,
having User IDs
[my machine name]\SUPPORT_388945a0
[my machine name]\HelpAssistant
[my machine name]\ASPNET
and one SUCCESS AUDIT for user
[my machine name]\Guest
One thing to note is that I had just run the MS Baseline Security
Analyzer 2 from the MS website.
The associated Help topic states:
....
User Action
If a single account has several password-change failures logged, it might be
under a password-guessing attack. Verify that such an attack is not
occurring. Otherwise, no user action is required.
If a single account has several password-change attempts logged, the user
might be trying to circumvent password-history policy.
....
Thanks,
Chris