why my local desktop audit found domainSQLServerMachine$ logon record? - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>Database - 数据库

why my local desktop audit found domainSQLServerMachine$ logon record?

why my local desktop audit found domainSQLServerMachine$ logon record?# Database - 数据库

j*b2014-05-30 07:05

1 楼

三
听说俊宝小时候的理想并不是做赤脚医生。俊宝和现在村支部书记汉臣是高中同学，也
是他们那个年龄段村里仅有的两个高中生。汉臣学习一般，而俊宝却在班里名列前茅。
那个时候大队的支部书记是俊宝的叔叔，在俊宝高中毕业那一年，几乎所有的人都认为
大队里将要推荐俊宝去上大学。
可是就在那一年国家恢复的高考，俊宝和汉臣都没有考上。没有考上大学的俊宝在家里
睡了好几天，他对他的叔叔说：“我去当兵吧。”其实在当时的农村，当兵也是一种出
路。可是俊宝的父亲和叔叔都极力反对他去当兵，他叔叔说：“这好铁不打钉，好儿不
当兵。怎么能去当兵呢？这样吧，你到大队的卫生部去做学徒吧。”
俊宝就到大队的卫生部里跟着一个老医生学医。三年以后，大队被解散分成行政村，俊
宝也就成了村里的赤脚医生。而汉臣却去当了兵，并且在部队里入了党，三年以后转业
回来成为村里最为年轻的党员，村支部成立的时候，顺理成章地成为其中的一员。
村里离镇上的医院远，当时村里的人无论得了大病还是小病，总要先让俊宝看看。俊宝
也是随叫随到。有一年流行猪和鸡瘟病，村里的猪和鸡都死了一大半，镇医院把治这种
病1的药放在俊宝那里，俊宝就用就用大针头学者给猪

c*d2014-05-30 07:05

2 楼

在我的Desktop上enable了LogonAudit。发现很多的这样的纪录。其中的
SQLServerMachine是Remote的SQL Server。它为什么要Logon我的机器呢？下面是从我
的机器的EventView看到的：
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: domainSQLServerMachine$
Account Name: SQLServerMachine$
Account Domain: domain
Logon ID: 0x1710dcecb
Logon GUID: {c1403d41-f164-c251-e02e-afc0257a7d7e}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: xx.xx.xx.xx
Source Port: 65262
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on
the computer that was accessed.
The subject fields indicate the account on the local system which requested
the logon. This is most commonly a service such as the Server service, or a
local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most
common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created
, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this
event with a KDC event.
- Transited services indicate which intermediate services have
participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This
will be 0 if no session key was requested.

- System
Detail:
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2014-05-30T14:07:16.118017600Z
EventRecordID 203348
Correlation
- Execution
[ ProcessID] 316
[ ThreadID] 1140
Channel Security
Computer MYDesktop.domain
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-416771471-1007560325-2299285661-3557
TargetUserName SQLServerMachine$
TargetDomainName domain
TargetLogonId 0x1710dcecb
LogonType 3
LogonProcessName Kerberos
AuthenticationPackageName Kerberos
WorkstationName
LogonGuid {C1403D41-F164-C251-E02E-AFC0257A7D7E}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress XX.xx.xx.xx
IpPort 65262