Re: Interpreting Security Audit Events

From: sjohnson (sjohnson@XsageYhospitalityZ.com)
Date: 01/10/03 

From: "sjohnson" <sjohnson@XsageYhospitalityZ.com>
Date: Fri, 10 Jan 2003 08:28:42 -0800

Thank you, Karl. We are using a firewall, but these
messages were logged by our Exchange server which makes me
suspect OWA is the source of the problem. The Exchange
server is not exposed to the Internet, rather it is behind
the firewall and there is a translation allowing a public
IP and incoming traffic on the specific TCP port(s) I
specify. I know that the hostname I saw in the audits
does not exist on our internal network, so what gives?
The firewall won't have logged communication it
deems "legit" (traffic on an allowed port to that IP) - so
I was hoping to glean more information from the s e c u r
i t y a u d i t e v e n t. (Or some other log
somewhere...)

Thanks for digging so deep into this thread, though. I'd
really like to know what's going on here.

-S

>-----Original Message-----
>There is no native way to log IP addresses yet. You
would need a firewall
>and to manually try to correlate your security log with
your firewall log
>based on event timestamp, so be sure time is synchronised
[or use a firewall
>software on your domain controller... I would probably be
sure
>
>If people are logging onto your system from the internet,
you need a
>firewall to block this. Period. You should really also
block outbound
>communications that are unnecessary as well. Netbios
uses TCP and UDP ports
>135 through 139 and 445, but there are lots of other
ports you want to block
>in both directions. Everything should be blocked inbound
except for replies
>and if you have servers such as web or mail servers that
need to be visible
>from the internet. There are free firewalls, so there's
no excuse.
>
>For more information:
>
>http://securityadmin.info/faq.htm#4.32
>http://securityadmin.info/faq.htm#firewall
>http://securityadmin.info/faq.htm#harden
>http://securityadmin.info/faq.htm#auditing
>
>
>"sjohnson" <sjohnson@XsageYhospitalityZ.com> wrote in
message
>news:2fdd01c2b83f$c2cb50b0$89f82ecf@TK2MSFTNGXA01...
>> Is there any easy way to identify source based on these
>> events?
>>
>> Also - is there a place that I can reference different
>> logon processes and/or authentication packages?
>>
>> Thanks for your response, Eric.
>>
>> -Shannon
>>
>> >-----Original Message-----
>> >Hi,
>> >
>> >No, the logon process identifies which system component
>> was used to process
>> >the logon, and the auth package indicates, to a large
>> degree, which protocol
>> >was used. Logon Type indicates the source of the logon
>> (2=interactive,
>> >3=network, 5=service, 7=unlock workstation). None of
>> these uniquely
>> >identifies the source of the remote logon.
>> >
>> >Eric
>> >
>> >--
>> >Eric Fitzgerald
>> >Program Manager, Windows Auditing and Intrusion
Detection
>> >Microsoft Corporation
>> >
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> >
>> >"sjohnson" <sjohnson@XsageYhospitalityZ.com> wrote in
>> message
>> >news:2d3001c2b816$93c70440$8df82ecf@TK2MSFTNGXA02...
>> >> Hello All-
>> >>
>> >> I have recently enabled security auditing for our NT4
>> >> domain and am seeing events that concern me, but I'm
>> >> having difficulty interpreting them or finding useful
>> >> information.
>> >>
>> >> Can someone help me understand? For instance, in
this
>> >> text from an Event ID 529:
>> >> ---
>> >> logon failure:
>> >>
>> >> reason: unknown user name or bad password
>> >>
>> >> user name: administrator
>> >>
>> >> domain: raiden
>> >>
>> >> logon type: 3
>> >>
>> >> logon process: ntlmssp
>> >>
>> >> authentication package:
>> >> microsoft_authentication_package_v1_0
>> >>
>> >> workstation name: raiden
>> >> ---
>> >>
>> >> Would it be possible to use the "Authentication
>> >> Package", "Logon Process", and/or "Logon Type" as
>> >> identifying information? I've noticied that these
items
>> >> change between different events - maybe I can use
them
>> to
>> >> help me find out more about these events.
>> >>
>> >> Thanks in advance,
>> >> Shannon
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • Re: Firewall on a single NIC SBS2003 Standard edition
    ... Frank McCallister SBS MVP ... > " Well, if you're wanting to run the firewall on a single NIC, you aren't ... Don't ask the server to do *everything*, ... > internet traffic from the workstations don't have to go through the SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet on nodes
    ... I stopped the Firewall in SBS and could upload ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... the server as Paul envisaged it. ... gateway (to the Internet through the NIC connected to the Sonicwall DMZ ... NICs should not have default gateways configured for both. ... DMZ ports of any firewall, is an alternative path that cause great ...
    (microsoft.public.windows.server.networking)