|
Posted by Roger Abell [MVP] on October 3, 2006, 8:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> We monitor our Windows Security Logs using MOM 2005. We record all 626
> events where User Accounts are enabled. A lot of the data collected
> includes account names (Target Account Name) that are actually the name
> of workstations (e.g., ws-2884$) that have been added to the domain.
> Before we filter out this traffic I was wondering if these WS additions
> pose any kind of security threat and should be logged or reviewed. Any
> comments appreciated.
>
That is actually a quite interesting question John.
I am assuming you are speaking of the events seen in the domain
controller logs. I will toss out some speculation and see what
others have to say.
I have to date not seen probeware using computer accounts, and it
is likely because a machine$ account has pretty limited capabilities.
It would be recognized as in Authenticated Users and Domain
Computers groups, but those hardly give it a leg up. The machine$
account does not have any real meaning on the machine itself. If the
randomized, strong password were to be intercepted (not likely)
then a bogus schannel could be formed that might make some brute
forcing a tad more convenient that it would otherwise be, etc. etc.
IOW it seems to me one needs to start chasing at straws to see
why, in the state of things today, success events for machine$ authN
would hold much/any value if retained.
Roger
| 
XML site map