Re: source of Failure Audits is Default Web Site

---

• From: David Wang <w3.4you@xxxxxxxxx>
• Date: Fri, 14 Mar 2008 21:46:46 -0700 (PDT)

---

On Mar 14, 11:26 am, "G" <gregstiger...@xxxxxxxxxxx> wrote:

I've inherited an apparently unmaintained environment. I notice that about
half of my Security events on my domain controller SVR2 are:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date:  3/14/2008
Time:  1:44:25 PM
User:  NT AUTHORITY\SYSTEM
Computer: TMG-SVR2
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account: Administrator
 Source Workstation: SVR1
 Error Code: 0xC000006A

I start checking SVR1, a W2K box, and eventually find that stopping the
Default Web Site in IIS Admin stops these errors. We have the usual IISHelp,
IISAdmin, IISSamples, and an MSADC. There's a PerlEx web site that I gather
is ActiveState. And there are five websites from a vendor-provided Altiris
offering. Directory Security varies among Anonymous access with Username
IUSR_SVR1 and "Allow IIS to control password" checked, Basic Authentication
with no Domain Name set, and Integrated Windows authentication. I suspect
there is a problem with the IUSR_SVR1 Internet Guest Account, which I do as
a local user on SVR1 as a member of Guests, with Password never expires and
User cannot change password.

At this point, I'm not sure what to do with this. What are good solutions at
ths point?
________
Greg Stigers, MCSA
remember to vote for the answers you like

How can a problem with user name IUSR_SVR1 become an event for
Administrator?

Perhaps someone is attempting to hack the Administrator account using
the fact that Authentication is enabled on the web server so that they
can attempt login as anyone, including Administrator.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

---

• Follow-Ups:
  • Re: source of Failure Audits is Default Web Site
    • From: G

• References:
  • source of Failure Audits is Default Web Site
    • From: G

• Prev by Date: source of Failure Audits is Default Web Site
• Next by Date: Problem with https and IE (and safari) on Mac os
• Previous by thread: source of Failure Audits is Default Web Site
• Next by thread: Re: source of Failure Audits is Default Web Site
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: The local policy of this system does not permit you to logon i ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ... (microsoft.public.windows.server.sbs) [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ... (Bugtraq) Re: Is it really true that NTFS is secure? ... The account Group got put back in the Administrator group again. ... Event Source: Security ... The logon to account: Administrator ... (microsoft.public.security) Re: XP home Administrative Password Hacked Over internet..HOW? ... What settings are most likely the ... off - took advantage of lax security settings they found on the moms ... After getting the Administrator account password reset to a pass phrase, ... (microsoft.public.windowsxp.general) Re: Is it really true that NTFS is secure? ... The account Group got put back in the Administrator group again. ... Event Source: Security ... The logon to account: Administrator ... (microsoft.public.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2008-03