Greetings,
We have a SIEM solution that correlates events from several Windows servers (2003 & 2008).
Many events from different servers have in the "Acting user" field these users:
none, null, nobody (mapped), network service, \admincom, \system, \anonymous logon, network service, or the hostname with a "$" at the end.
We are triyng to configure a notification based on the formal server administrators but appears this other users...
Can you explain wich security concerns we need to have with this users?
Deal