I'll be the first to admit that I don't know a lot about computers, but the following entries in my security log seem very suspicious. Please tell me if I would be doing myself a favor by not looking at the security log or if these are something that need further investigation. The ones that really worry me are in the 3rd sequence ... Bella and Luke are out of town, and I did not try to log in to their accounts.
I am running Windows XP Home Edition on a stand-alone PC that is not networked in any way, except for a simple dial-up connection. Any input will be greatly appreciated. Thanks!
Here are some that raised an eyebrow:
#1
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 7/21/2007
Time: 1:13:18 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon
Changed By:
User Name: YOUR-3EH8TJLJXA$
Domain Name: WORKGROUP
Logon ID: (0x0,0x3E7)
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 518
Date: 7/21/2007
Time: 1:13:18 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
An notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes.
Notification Package Name: scecli
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 7/21/2007
Time: 1:13:18 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: DCOMSCM (LAN Manager Workstation Service also had a listing like this one)
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 7/21/2007
Time: 1:13:20 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: YOUR-3EH8TJLJXA
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xC183)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 7/21/2007
Time: 1:13:38 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: RASMAN (Lots more like this ... with different names where this says RASMAN)
#2-------------------------------------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 621
Date: 7/21/2007
Time: 2:07:46 PM
User: YOUR-3EH8TJLJXA\Owner
Computer: YOUR-3EH8TJLJXA
Description:
System Security Access Granted:
Access Granted: SeServiceLogonRight
Account Modified: BUILTIN\BUILTIN
Assigned By:
User Name: Owner
Domain: YOUR-3EH8TJLJXA
Logon ID: (0x0,0xDD61)
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 551
Date: 7/21/2007
Time: 2:08:04 PM
User: YOUR-3EH8TJLJXA\Owner
Computer: YOUR-3EH8TJLJXA
Description:
User initiated logoff:
User Name: Owner
Domain: YOUR-3EH8TJLJXA
Logon ID: (0x0,0xdd61)
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 512
Date: 7/21/2007
Time: 2:08:46 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Windows is starting up.
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 7/21/2007
Time: 2:08:46 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32\LSASRV.dll : Negotiate (Lots of these "packages" listed)
#3------------------------------------------------------------------------------------------------
(The following series of failed logon attempts on each account repeats 3 times)
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 7/21/2007
Time: 2:28:45 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Owner
Source Workstation: YOUR-3EH8TJLJXA
Error Code: 0xC000006A
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/21/2007
Time: 2:28:45 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: YOUR-3EH8TJLJXA
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 7/21/2007
Time: 2:28:45 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Bella
Source Workstation: YOUR-3EH8TJLJXA
Error Code: 0xC000006E
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/21/2007
Time: 2:28:45 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Bella
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: YOUR-3EH8TJLJXA
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 7/21/2007
Time: 2:28:45 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Luke
Source Workstation: YOUR-3EH8TJLJXA
Error Code: 0xC000006E
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/21/2007
Time: 2:28:45 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-3EH8TJLJXA
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Luke
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: YOUR-3EH8TJLJXA