SBS 2K3 event id 528 logon type 10 inexplicable.
Hi there technet.
I got an issue with security on my customers SBS 2k3 r2 server.
In the event logs i see several event id's 528 with logon type 10 on the administrator account.(that is not used by us or the company)
I looked in to it and i can't get an explanation for it who logs in with the account.
Event id 528 is a login id and the logon type 10 says it is either a rdp logon or a terminal service logon.
The problem is that the source network adress should reveal the ip adress of the one who is login on to the server.
thats the issue i'm facing cause the source network adress is specified as the ip adress of the server itself.
My question. Can someone explain to me how this can be?
Should i get worried and take meassures?
He is the info of one of the logins. I will mask domain names for privacy issue's offcourse.
Successful Logon:
User Name: administrator
Domain: XXXXX
Logon ID: (0x0,0x85111F4)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: SERVER
Logon GUID: {b86054ef-ffe4-b5b7-fd7a-83144758c4d7}
Caller User Name: SERVER$
Caller Domain: XXXXX
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7492
Transited Services: -
Source Network Address: 192.168.16.1
Source Port: 16643
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Kind regards,
DiKkieDIK
February 4th, 2011 3:42am