Re: Server 2003 failed logon/logoff audit records



<danielhopkins@xxxxxxxxx> wrote in message news:1133558959.542177.58150@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am running Server 2003 Standard edition as a public webserver.
Recently the server has been experiencing numerous login attempts
resulting in the following audit log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 12/2/2005
Time: 7:54:35 AM
User: NT AUTHORITY\SYSTEM
Computer: LONGS
Description:
Logon Failure:
 Reason: An error occurred during logon
 User Name: IUSR_WINSERVER2003
 Domain: *****
 Logon Type: 3
 Logon Process: ?Q
 Authentication Package: NTLM
 Workstation Name: *****
 Status code: 0xC000006D
 Substatus code: 0x0
 Caller User Name: -
 Caller Domain: -
 Caller Logon ID: -
 Caller Process ID: -
 Transited Services: -
 Source Network Address: **.***.***.***
 Source Port: 0

The question I have is, how is this logon event occurring?  The source
network address has the ip of the server itself, which would seem to
mean that whoever (or whatever) is trying to login is doing so from the
actual machine?

What does the ?Q mean as a logon proccess?

Any answers or links would be much appreciated.

Thanks much,
Dan Hopkins



Is this server running IIS? The logon account is the IUSR_<server name>. Someone (or something - an application or process for example) seems to be failing to authenticate.

--
Arek Iskra
MVP for Windows Server - Software Distribution


.