Re: Event Security
From: Karl Levinson [x y] \(MVP\) (levinson_k@excite.com)
Date: 10/17/02
- Next message: carol: "microsoft office 2000"
- Previous message: Karl Levinson [x y] \(MVP\): "Re: subinacl: reordering ACEs"
- In reply to: Michael J. Demirdjian: "Event Security"
- Next in thread: Johnson Huge: "Event Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] \(MVP\)" <levinson_k@excite.com> Date: Thu, 17 Oct 2002 10:33:19 -0400
The firewall logs are the first place to look. [Look for packets to your
web server that are permitted through, and note the port number.] If the
user is using IIS to test the passwords and you have a lot of traffic, it
may be difficult to see the attacker. Try synching the clocks on your
firewall and windows system [ideally using an internet NTP server] and try
to match up the logs. Try looking at the logs for a time of day when you
have little traffic, perhaps the middle of the night.
If the user is using IIS to try the passwords, those events should be seen
in your IIS logs. I'm not sure of the exact error message, but I'm guessing
401.? possibly 401.1 [see http://www.cio-dpi.gc.ca/clf-upe/7/err_e.asp for
error message descriptions]. [My understanding is that IIS will not lock a
password out or deny a user login when the account is locked out, in which
case password guessing is a risk.]
If the user is using Windows Networking / NetBIOS instead of IIS to test the
passwords, your firewall is probably not configured correctly and should
probably be blocking more than it is.
"Michael J. Demirdjian" <flu_shot@bigfoot.com> wrote in message
news:#UpqnuddCHA.2060@tkmsftngp09...
> Hi There,
>
> We have a customer with a Windows 2000 Server and IIS, and it seems
someone
> is running a tools to try to guess the password because. The event viewer
> kicks out a failed security audit every 3 seconds, and there is about 30
> failed audits with random user names. This happens once or twice a
> day.
>
> The server sits behind a firewall but how can we get the IP Address of the
> hacker preferably using the Windows 2000 server (event) audit service? Is
> there a way to track this hacker?
>
> The events id that kicks is something like 529 but there is no IP address.
>
> You can tell the tool they are using is crude because of the type of
> user names and domains it tries, but I still want to catch this person and
> report
> them!
> Any help
> Thanks
> Mike
>
>
>
>
>
- Next message: carol: "microsoft office 2000"
- Previous message: Karl Levinson [x y] \(MVP\): "Re: subinacl: reordering ACEs"
- In reply to: Michael J. Demirdjian: "Event Security"
- Next in thread: Johnson Huge: "Event Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
