Windows-Server-2008
系統自動啟用訪客賬戶
我在使用 Windows Server 2008 R2 時遇到了麻煩。我禁用了訪客帳戶,出於安全目的將其設置為不更改密碼。
幾天后,我注意到訪客帳戶已啟用。
系統如何自動修改訪客帳號?
我查看了事件日誌。它顯示以下內容:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/20/2017 11:03:04 PM Event ID: 4738 Task Category: User Account Management Level: Information Keywords: Audit Success User: N/A Computer: WIN-GQC8F69I8P7 Description: A user account was changed. Subject: Security ID: SYSTEM Account Name: WIN-GQC8F69I8P7$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: WIN-GQC8F69I8P7\Guest Account Name: Guest Account Domain: WIN-GQC8F69I8P7 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 20/10/2017 11:03:04 CH Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4738</EventID> <Version>0</Version> <Level>0</Level> <Task>13824</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2017-10-20T16:03:04.790779000Z" /> <EventRecordID>10641390</EventRecordID> <Correlation /> <Execution ProcessID="488" ThreadID="5744" /> <Channel>Security</Channel> <Computer>WIN-GQC8F69I8P7</Computer> <Security /> </System> <EventData> <Data Name="Dummy">-</Data> <Data Name="TargetUserName">Guest</Data> <Data Name="TargetDomainName">WIN-GQC8F69I8P7</Data> <Data Name="TargetSid">S-1-5-21-1551155493-3377209804-688432216-501</Data> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">WIN-GQC8F69I8P7$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="PrivilegeList">-</Data> <Data Name="SamAccountName">Guest</Data> <Data Name="DisplayName">%%1793</Data> <Data Name="UserPrincipalName">-</Data> <Data Name="HomeDirectory">%%1793</Data> <Data Name="HomePath">%%1793</Data> <Data Name="ScriptPath">%%1793</Data> <Data Name="ProfilePath">%%1793</Data> <Data Name="UserWorkstations">%%1793</Data> <Data Name="PasswordLastSet">20/10/2017 11:03:04 CH</Data> <Data Name="AccountExpires">%%1794</Data> <Data Name="PrimaryGroupId">513</Data> <Data Name="AllowedToDelegateTo">-</Data> <Data Name="OldUacValue">0x211</Data> <Data Name="NewUacValue">0x211</Data> <Data Name="UserAccountControl">-</Data> <Data Name="UserParameters">-</Data> <Data Name="SidHistory">-</Data> <Data Name="LogonHours">%%1797</Data> </EventData> </Event> Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/20/2017 11:03:04 PM Event ID: 4724 Task Category: User Account Management Level: Information Keywords: Audit Success User: N/A Computer: WIN-GQC8F69I8P7 Description: An attempt was made to reset an account's password. Subject: Security ID: SYSTEM Account Name: WIN-GQC8F69I8P7$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: WIN-GQC8F69I8P7\Guest Account Name: Guest Account Domain: WIN-GQC8F69I8P7 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4724</EventID> <Version>0</Version> <Level>0</Level> <Task>13824</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2017-10-20T16:03:04.790779000Z" /> <EventRecordID>10641391</EventRecordID> <Correlation /> <Execution ProcessID="488" ThreadID="5744" /> <Channel>Security</Channel> <Computer>WIN-GQC8F69I8P7</Computer> <Security /> </System> <EventData> <Data Name="TargetUserName">Guest</Data> <Data Name="TargetDomainName">WIN-GQC8F69I8P7</Data> <Data Name="TargetSid">S-1-5-21-1551155493-3377209804-688432216-501</Data> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">WIN-GQC8F69I8P7$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> </EventData> </Event>
我已經找了幾天了。我意識到它每天晚上都在同一時間發生。我猜它可能是一個任務計劃程序然後在任務計劃程序中找不到任何東西。我使用了 Sysinternals 工具並發現了問題。WMI 服務中有一個有害的 VB 腳本。刪除它,問題就解決了!
我會試試這個,然後在這個系統上執行 RSOP.msc
電腦配置 > Windows 設置 > 安全設置 > 本地策略 > 安全選項 > 帳戶:訪客帳戶狀態
它應該被禁用。如果它已啟用,那麼您可以看到哪個 GPO 正在應用該策略