Windows-Server-2008

系統自動啟用訪客賬戶

  • October 25, 2017

我在使用 Windows Server 2008 R2 時遇到了麻煩。我禁用了訪客帳戶,出於安全目的將其設置為不更改密碼。

幾天后,我注意到訪客帳戶已啟用。

系統如何自動修改訪客帳號?

我查看了事件日誌。它顯示以下內容:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/20/2017 11:03:04 PM
Event ID:      4738
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WIN-GQC8F69I8P7
Description:
A user account was changed.

Subject:
   Security ID:        SYSTEM
   Account Name:       WIN-GQC8F69I8P7$
   Account Domain:     WORKGROUP
   Logon ID:       0x3e7

Target Account:
   Security ID:        WIN-GQC8F69I8P7\Guest
   Account Name:       Guest
   Account Domain:     WIN-GQC8F69I8P7

Changed Attributes:
   SAM Account Name:   Guest
   Display Name:       <value not set>
   User Principal Name:    -
   Home Directory:     <value not set>
   Home Drive:     <value not set>
   Script Path:        <value not set>
   Profile Path:       <value not set>
   User Workstations:  <value not set>
   Password Last Set:  20/10/2017 11:03:04 CH
   Account Expires:        <never>
   Primary Group ID:   513
   AllowedToDelegateTo:    -
   Old UAC Value:      0x211
   New UAC Value:      0x211
   User Account Control:   -
   User Parameters:    -
   SID History:        -
   Logon Hours:        All

Additional Information:
   Privileges:     -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
   <EventID>4738</EventID>
   <Version>0</Version>
   <Level>0</Level>
   <Task>13824</Task>
   <Opcode>0</Opcode>
   <Keywords>0x8020000000000000</Keywords>
   <TimeCreated SystemTime="2017-10-20T16:03:04.790779000Z" />
   <EventRecordID>10641390</EventRecordID>
   <Correlation />
   <Execution ProcessID="488" ThreadID="5744" />
   <Channel>Security</Channel>
   <Computer>WIN-GQC8F69I8P7</Computer>
   <Security />
 </System>
 <EventData>
   <Data Name="Dummy">-</Data>
   <Data Name="TargetUserName">Guest</Data>
   <Data Name="TargetDomainName">WIN-GQC8F69I8P7</Data>
   <Data Name="TargetSid">S-1-5-21-1551155493-3377209804-688432216-501</Data>
   <Data Name="SubjectUserSid">S-1-5-18</Data>
   <Data Name="SubjectUserName">WIN-GQC8F69I8P7$</Data>
   <Data Name="SubjectDomainName">WORKGROUP</Data>
   <Data Name="SubjectLogonId">0x3e7</Data>
   <Data Name="PrivilegeList">-</Data>
   <Data Name="SamAccountName">Guest</Data>
   <Data Name="DisplayName">%%1793</Data>
   <Data Name="UserPrincipalName">-</Data>
   <Data Name="HomeDirectory">%%1793</Data>
   <Data Name="HomePath">%%1793</Data>
   <Data Name="ScriptPath">%%1793</Data>
   <Data Name="ProfilePath">%%1793</Data>
   <Data Name="UserWorkstations">%%1793</Data>
   <Data Name="PasswordLastSet">20/10/2017 11:03:04 CH</Data>
   <Data Name="AccountExpires">%%1794</Data>
   <Data Name="PrimaryGroupId">513</Data>
   <Data Name="AllowedToDelegateTo">-</Data>
   <Data Name="OldUacValue">0x211</Data>
   <Data Name="NewUacValue">0x211</Data>
   <Data Name="UserAccountControl">-</Data>
   <Data Name="UserParameters">-</Data>
   <Data Name="SidHistory">-</Data>
   <Data Name="LogonHours">%%1797</Data>
 </EventData>
</Event>

   Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/20/2017 11:03:04 PM
Event ID:      4724
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WIN-GQC8F69I8P7
Description:
An attempt was made to reset an account's password.

Subject:
   Security ID:        SYSTEM
   Account Name:       WIN-GQC8F69I8P7$
   Account Domain:     WORKGROUP
   Logon ID:       0x3e7

Target Account:
   Security ID:        WIN-GQC8F69I8P7\Guest
   Account Name:       Guest
   Account Domain:     WIN-GQC8F69I8P7
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
   <EventID>4724</EventID>
   <Version>0</Version>
   <Level>0</Level>
   <Task>13824</Task>
   <Opcode>0</Opcode>
   <Keywords>0x8020000000000000</Keywords>
   <TimeCreated SystemTime="2017-10-20T16:03:04.790779000Z" />
   <EventRecordID>10641391</EventRecordID>
   <Correlation />
   <Execution ProcessID="488" ThreadID="5744" />
   <Channel>Security</Channel>
   <Computer>WIN-GQC8F69I8P7</Computer>
   <Security />
 </System>
 <EventData>
   <Data Name="TargetUserName">Guest</Data>
   <Data Name="TargetDomainName">WIN-GQC8F69I8P7</Data>
   <Data Name="TargetSid">S-1-5-21-1551155493-3377209804-688432216-501</Data>
   <Data Name="SubjectUserSid">S-1-5-18</Data>
   <Data Name="SubjectUserName">WIN-GQC8F69I8P7$</Data>
   <Data Name="SubjectDomainName">WORKGROUP</Data>
   <Data Name="SubjectLogonId">0x3e7</Data>
 </EventData>
</Event>

我已經找了幾天了。我意識到它每天晚上都在同一時間發生。我猜它可能是一個任務計劃程序然後在任務計劃程序中找不到任何東西。我使用了 Sysinternals 工具並發現了問題。WMI 服務中有一個有害的 VB 腳本。刪除它,問題就解決了!

我會試試這個,然後在這個系統上執行 RSOP.msc

電腦配置 > Windows 設置 > 安全設置 > 本地策略 > 安全選項 > 帳戶:訪客帳戶狀態

它應該被禁用。如果它已啟用,那麼您可以看到哪個 GPO 正在應用該策略

引用自:https://serverfault.com/questions/879497