Re: Security Log Failure Audit

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Sun, 26 Nov 2006 11:07:08 -0700

---

The Source Network Address is used for the origin of the caller,
which in this case is a LPC by the machine itself and so it is not
populated.

"TimT" <TimT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DB3A999A-597E-4B76-9900-52DDD597D675@xxxxxxxxxxxxxxxx

Hi,

I'm trying to automate a process related to identifying and blocking IP
addresses of people trying to do brute force attacks on a server,
primarily
via FTP.

Whenever an invalid logon occurs a "Failure Audit" event is written to the
security log, but the "Source Network Address" entry is always blank. Does
anyone know why this would be blank, and how to get it populated properly?

This is an SBS 2003/ISA 2004 config, w/ISA FTP and HTTP listeners
configured
with "Requests appear to come from the original client".

The FTP and web sites in IIS are configured w/logging, and the actual
external IP address does appear in the logs, but it would be much easier
if I
could just get the address from the failure audit event in the security
log.

This is an example of the failure audit log entry when a bad FTP login
occurs:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/19/2006
Time: 10:16:12 AM
User: NT AUTHORITYSYSTEM
Computer: MyServer
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: MyDomain
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MyServer
Caller User Name: MyServer$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 880
Transited Services: -
Source Network Address: -
Source Port: -


Thanks,
Tim

.

---

• Follow-Ups:
  • Re: Security Log Failure Audit
    • From: TimT

• Prev by Date: Re: VirusBursters - How Does it Get Installed?
• Next by Date: Re: VirusBursters - How Does it Get Installed?
• Previous by thread: VirusBursters - How Does it Get Installed?
• Next by thread: Re: Security Log Failure Audit
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Bad login alerts ... RWW doesn't give source network address from external... ... Logon Failure: ... Caller User Name: - ... Workstation Name: SERVER ... (microsoft.public.windows.server.sbs) Re: Failure Audit in Security Logs ... Event Type: Failure Audit ... Logon Failure: ... Logon Process: NtLmSsp ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Failure Audit in Security Logs ... Event Type: Failure Audit ... Logon Failure: ... Logon Process: NtLmSsp ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Logon 529 Errors ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ... Source Network Address: - ... (microsoft.public.windows.server.sbs) Re: Security Log Failure Audit ... Whenever an invalid logon occurs a "Failure Audit" event is written to the ... but the "Source Network Address" entry is always blank. ... Caller User Name: MyServer$ ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)