TSInternetUser

[Guest]

I noticed an event log entry on one of my SBS2000 servers indicating a
password change attempt on TSInternetUser. Since I do not use the Internet
Licensor, I disabled the account. However, I noticed that the hit was at
exactly the same time each day. It's a pretty good bet that it will happen at
the same time today.

What can I do to capture the source IP address of the hit if/when it comes
today?

 

[Myweb]

Hello Brian,

Look here:
http://support.microsoft.com/kb/244057

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Guest]

I ran into that article before I posted. However, several things made me
wonder if it was the system or an intruder.

1. I do not have Terminal Services Internet Connector Licensing enabled.
2. I saw quote a bit of info on the net concerning hack attempts using the
TSInternetUser account.
3. This has been happening only in the last week, so unless some Windows
Update awakened some sleeping process, it must be an outside force.
4. These are failure notices; the password was not successfully changed. One
would assume that anything done by Windows would be successful.