Event Viewer -- Failure Audit 627, Attempt to Change Password

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

ChrisK - 28 Sep 2005 18:46 GMT

Hi all,

Ran the Event Viewer this morning (don't do this very often),
and noticed that there are many Failure Audits having ID=627,
SE_AUDITID_USER_PWD_CHANGED. These are run from my machine,
having User IDs

[my machine name]\SUPPORT_388945a0
[my machine name]\HelpAssistant
[my machine name]\ASPNET

and one SUCCESS AUDIT for user

[my machine name]\Guest

One thing to note is that I had just run the MS Baseline Security
Analyzer 2 from the MS website.

>>> Is this something to worry about?

The associated Help topic states:
...
User Action
If a single account has several password-change failures logged, it might be
under a password-guessing attack. Verify that such an attack is not
occurring. Otherwise, no user action is required.

If a single account has several password-change attempts logged, the user
might be trying to circumvent password-history policy.
...

>>> How would I "verify that an attack is not occurring"?

Thanks,
Chris

Reply to this Message

JackL - 30 Sep 2005 20:57 GMT

Hi Chris,
I don't know how you would verify the origin of a password guessing attack
except by running the usual antispyware/virus programs. Howeveer, I did read
somewhere that if you use the welcome screen to log onto your computer it
automatically attempts to log in to each user as standard and is normal
operating procedure. Hope this helps a bit!

JackL

> Hi all,
>
[quoted text clipped - 31 lines]
> Thanks,
> Chris

Reply to this Message

Chris Kinata - 30 Sep 2005 22:03 GMT

Hi Jack,

Interesting...this is pretty deep stuff for me...thanks.

--Chris

||||| www.kinata.net web design and hosting

> Hi Chris,
> I don't know how you would verify the origin of a password guessing attack
[quoted text clipped - 4 lines]
>
> JackL

Reply to this Message