Who can explain this? Has any possible answer?



jiangjinhai
07-10-2005, 02:07 AM
One day when I browse security event logs on one of my user's computer ,I
found some abnormal thing :

Event Properties
Date: 5/9/2005 source: Security
time: 5:45:27 AM Category:Logon/Logoff
type: Failure Audit event ID:531
user:NT AUTHORITY\SYSTEM
computer:BSGQ

Logon Failure:
Reason: Account currently disabled
User Name: IUSR_BSGQ
Domain: BSGQ
Logon Type: 3
Logon Process:IIS
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:BSGQ

Enviorment: The computer's operation system is WindowsXP English sp2.
The computer belongs to a Domain.
The computer user only has Domain Users privilege .
The computer has never installed IIS.(I check this on the
computer.)

Why? What happened?

Lesley Kipling [MSFT]
07-10-2005, 02:08 AM
Hi.



Well, I would suggest that it is most likely that at some stage somebody has
installed IIS on the system.



The 531 Logon Failure: Account currently disabled should have more
information associated with it to tell you from where the call is happening
and possibly even the process ID (specific to the machine the call is being
made from) that is trying to use this account.



HTH, Les



This posting is provided "AS IS" with no warranties, and confers no rights.


"jiangjinhai" <jiangjinhai@citiz.net> wrote in message
news:OAtwKriVFHA.2572@TK2MSFTNGP14.phx.gbl...
> One day when I browse security event logs on one of my user's computer ,I
> found some abnormal thing :
>
> Event Properties
> Date: 5/9/2005 source: Security
> time: 5:45:27 AM Category:Logon/Logoff
> type: Failure Audit event ID:531
> user:NT AUTHORITY\SYSTEM
> computer:BSGQ
>
> Logon Failure:
> Reason: Account currently disabled
> User Name: IUSR_BSGQ
> Domain: BSGQ
> Logon Type: 3
> Logon Process:IIS
> Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name:BSGQ
>
> Enviorment: The computer's operation system is WindowsXP English sp2.
> The computer belongs to a Domain.
> The computer user only has Domain Users privilege .
> The computer has never installed IIS.(I check this on the
> computer.)
>
> Why? What happened?
>

jiangjinhai
07-10-2005, 02:08 AM
After I found the audit message,I inspected the computer and did not find
any footprint that IIS had been installed.
My company execute very seriously computer management method on the job-use
computer.The computer could not connect to internet and no cdrom.
The autdit infomation made me feeling worry about whether there would be any
privileges leak to normal user.
Windows XP is too complex!
Any more information who can tell me?


Who can explain this? Has any possible answer?