Re: Logon Failures from unknown workstation

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/15/04


Date: Mon, 15 Nov 2004 22:38:32 GMT

That computer account does not necessarily have to be inside your network in
order for the computer name to appear in the security log. However another
possibility is that someone had an unauthorized computer on the network such
as a laptop. Check your dns records also in case it was a W2K/XP Pro
computer on the lan that may have registered a dynamic dns record. You might
also want to check the logs on your VPN servers to see if anything is
reported in the system logs if you have enable logging of all events in the
server's properties in the rras console. You might also have log files for
your rras servers in the \system\system32\logfiles folder if that is enabled
for authentication requests. If rras logging is not enable, now may be a
good time to do such. Below is an example of a failed logon via VPN that
was recorded in the "system" log of the VPN server [Windows 2003]. It does
not show the computer name in this case but you certainly could correlate
times for failed logons. --- Steve

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20189
Date: 11/15/2004
Time: 4:36:20 PM
User: N/A
Computer: SERVER1-2003
Description:
The user test1\administrator connected from 192.168.1.52 but failed an
authentication attempt due to the following reason: Authentication was not
successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"David V" <DavidV@discussions.microsoft.com> wrote in message
news:78D50AAF-6E12-4A33-A74E-D4DF14F35D57@microsoft.com...
> This morning I found the following events logged on both of our root
> domain
> controllers, 265 times within 1-1/2 minutes over the weekend:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 11/14/2004
> Time: 12:07:45 PM
> User: NT AUTHORITY\SYSTEM
> Computer: ROOTDC1
> Description:
> The logon to account: administrator
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: AFREEMAN
> failed. The error code was: 3221225578
>
> There is no workstation in our forest named AFREEMAN; the name does not
> remotely fit our naming convention. We are thinking that, in order for
> the
> NetBIOS name to be logged, the workstation had to be on our internal
> network,
> but nobody is here on Sunday, there is no workstation by that name listed
> in
> DNS, and there is no entry in the DHCP server log for that day. We have
> searched the RRAS and ISA logs, and found nothing, and besides, the RRAS
> server would have been listed as he workstation in this log if it were
> someone coming through the VPN, right?. Any ideas?
>