Policy change, hacker attack ?

TheMSsForum.com: The Microsoft Software Forum

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 4/15/2004
Time: 5:18:52 PM
User: NT AUTHORITY\SYSTEM
Computer: CP250405-A
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
+ + Object Access
+ + Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
+ + Directory Service Access
+ + Account Logon

Changed By:
User Name: CP250405-A$
Domain Name: MSHOME
Logon ID: (0x0,0x3E7)

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Looks like a hacker attack that wants to prevent detection ?

What do you think ?
Top

RE: Policy change, hacker attack ? by bobqin

bobqin
Fri Apr 16 06:28:57 CDT 2004

Hi Skybuck,

Thanks for your posting here.

In general, it is normal behavior. This event can be logged each time that
the server refreshes its local security policy. For example, user applies a
security template to the machine by using the Security Configuration and
Analysis snap-in or a secedit command.

Have a nice day!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Top

RE: Policy change, hacker attack ? by anonymous

anonymous
Tue May 04 19:41:02 CDT 2004

I have a server that has those entries over and over for more than a couple of hundred times, sometime 4-5 times in a second. yet I know we have not done domain policies to it, it does have local policies but they don't get changed.
Top

RE: Policy change, hacker attack ? by bobqin

bobqin
Wed May 05 03:57:24 CDT 2004

Would you please let me know your OS and the detailed error message?

In addition, please run the MPS Reporting tool on the problematic to
collect the system information for further research.

1. Visit the following web page:

http://microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7
-F9C79B7306C0&displaylang=en

2. Download the file MPSRPT_SETUPPerf.EXE

3. Double-click MPSRPT_SETUPPerf.EXE to run the tool.

4. On your system a CAB file will be generated for your convenience in the
%systemroot%\MPSReports\Setup\<Report Type>\Cab directory called
%COMPUTERNAME%_MPSReports.CAB. The CAB file will contain the reports
generated by the MPS Reporting Tool. Please send the cab file to me by
email. (where %systemroot% is the Windows system folder, such as C:\Windows
or C:\Winnt)

Please send the result of MPS Reporting tool to me directly at
bobqin@microsoft.com

Thanks for your cooperation. I am looking forward to your response.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Top