Access Denied - Where is it coming from?

From: Keith C. Jakobs, MCP (elohir@hotmail.com)
Date: 06/27/02


From: "Keith C. Jakobs, MCP" <elohir@hotmail.com>
Date: Thu, 27 Jun 2002 21:10:17 GMT


Greetings all:

A few days ago, one of my member servers suddenly started filling up the
Security Log with error 534, logon failure due to user not being granted
requested logon type. Though it is not continuous, it will flood the
security log several times a day.

Initially, I noticed that it was the SYSTEM account being denied!!!!! But
after looking up the error values, it was denying the SYSTEM account a
Network logon using the Kerberos Logon Process. Now someone please correct
me if I am wrong, but the SYSTEM account should never be accessing a
computer across the network, right??? If I am wrong I guess I don't have as
much of a problem but my question still applies:

So, does anyone know how I can find out what is trying to log on to my
system? Is it a bug? A new virus? A network service? RPC call?? Am I
being hacked? Or is something running in the background or scheduled to run
at a certain time? Is there any logging or tracing I need or can do to help
find out what is attempting to log on??

Thanks in advance for anyone's help.

Keith C. Jakobs, MCP
elohir@hotmail.com



Relevant Pages