When running gathering tasks, the following events can be seen in the security log on the MessageStats server:
"Computer: ALVQMSW01
Description:
Successful Network Logon:
User Name: svc-messagestats
Domain: Domain
Logon ID: (0x0,0x5BB56C49)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: ALVQMSW01
Logon GUID: {d5beeb30-ee10-fed4-04f5-412751f93456}
Caller User Name: svc-messagestats
Caller Domain: Domain
Caller Logon ID: (0x0,0x5BB53FB4)
Caller Process ID: 6116
Transited Services: -
Source Network Address: -
Source Port: -"
The type 8 login cleartext logins are from the QMSExec process passing the task credentials to the local Windows operating system by calling the Windows API function LogonUser() in Windows system DLL advapi32.dll.
If a process wishes to run as a particular Windows user, then the process needs to provide the user name and password to Windows. The LogonUser() function only accepts the password in cleartext form. Consequently, QMSExec must call LogonUser() with the MessageStats task credential password in cleartext form.
Because the logonuser function is part of Windows, there is nothing that can be changed in MessageStats to prevent this event. As the connection is made on the same machine (remote connections are not allowed using the logonuser function) it is not considered as a security risk.
The Windows API function LogonUser() is documented at http://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center