Re: Failure audit in security log

From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 11/02/02 

From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com>
Date: Fri, 1 Nov 2002 16:48:17 -0800

In Windows .NET Server we are adding the IP address of the remote client to
the logon audit. There's not much else to do after the fact with Windows
2000 or XP.

If you suspect that there is an attack (in other words worth your time), and
this is a recurring issue, you could set up NetMon (from Microsoft Systems
Management Server) and specify a capture filter to only capture interesting
traffic.

Eric

"AiKay" <iwazeer2@hotmail.com> wrote in message
news:u2rtoLbgCHA.2424@tkmsftngp11...
> Eric,
>
> Thanks for your answers. I already tried nbtstat and also checked my arp
> cache but didnt find anything.
>
> Imran
> "Eric Fitzgerald [MS]" <ericf@online.microsoft.com> wrote in message
> news:3dc18f3c$1@news.microsoft.com...
> > One more note: to actually see the remote machine's IP address, you have
> to
> > issue the command:
> > nbtstat -c
> > after the nbtstat -a command.
> >
> > Eric
> >
> > "Eric Fitzgerald [MS]" <ericf@online.microsoft.com> wrote in message
> > news:3dc18ef2$1@news.microsoft.com...
> > > If the workstation is on the same subnet as you, or if it points to
your
> > > WINS environment, then the following command will return the machine's
> IP
> > > address:
> > >
> > > nbtstat -a workstationname
> > >
> > > If the machine is not resolvable by WINS or broadcast, then no, you
> can't
> > > get any more information about it after the fact.
> > >
> > > Eric
> > >
> > >
> > > "AiKay" <iwazeer2@hotmail.com> wrote in message
> > > news:#F#gxFPgCHA.2256@tkmsftngp12...
> > > > I saw some Failure audits in my security log with Event Code Ids 529
> and
> > > > 681. The log (in event viewer) only shows a workstation name in the
> > > > Workgroup domain. Is there anyway I can find out more information
> about
> > > that
> > > > workstation or try to gather more information that will be useful
for
> my
> > > > network security person?
> > > >
> > > > Aikay
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: Web Site Access
    ... Can one access the site from a remote client at ... Windows Components, install Microsoft Internet Information Services. ... >> with a terminal server CAL access to the terminal server. ...
    (microsoft.public.windows.terminal_services)
  • RE: File Sharing from Client to SBS2003 Problem
    ... As I know, after you install the Windows XP SP2 in your SBS 2k3 network, ... 872769 You cannot configure Windows Firewall settings or Security Center ... Logon and logoff your client and test your issue again. ... | the Workstation service are running on remote client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Active Directory Admin Tools
    ... Download Adminpak.msi for Windows .Net Server for use on Windows XP. ... Windows .NET Server RC1 Administration Tools Pack: ... Windows .NET Server Administration Tools Pack provides ...
    (microsoft.public.windowsxp.security_admin)
  • LDAP Nullbase access, how to disable ?
    ... going to .Net Server. ... Nullbase/Anonymous Bind to LDAP within Active Directory. ... anonymous bind the information that is displayed complies ... >We are trying to secure our windows 2000 domain. ...
    (microsoft.public.win2000.security)
  • Re: SP1 breaks Server Admin Pack
    ... Windows XP or Windows .Net server? ... Windows .NET Server RC1 Administration Tools Pack: ... Administering Windows 2000-Based Computers Using Windows XP Professional-Based ...
    (microsoft.public.windowsxp.security_admin)