Re: event IDs 681, 529 and error code 3221225572
From: Eric Fitzgerald [MSFT] (email@example.com)
From: "Eric Fitzgerald [MSFT]" <firstname.lastname@example.org> Date: Tue, 4 Mar 2003 16:36:40 -0800
I have been working with Evginy offline, but I wanted to address one issue
publicly as well:
The audit log does not convey intent. That is to say, it's rare that you
can look at the log (even rarer when looking at a single event out of the
context of the log) and say "That's a hacker".
The system will record the same event when the password doesn't match,
regardless of whether it's a hacker or a bad typist at the other end of the
connection- they system can't tell the difference.
You can sometimes deduce the intent (10 thousand bad password attempts vs.
Administrator in one minute is above any reasonable retry threshold), but
sometimes not (is one bad logon attempt per hour a hacker or is it a
scheduled process with bad credentials?).
Some rules of thumb:
1) Ignore single bad password events. If it only happens once, it's
probably not worth investigating.
2) When examining logon failures, go to the workstation that is generating
the bad requests and look for something there, particularly a service.
3) Don't assume it's a hacker until you rule out everything else.
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "EAK" <email@example.com> wrote in message news:firstname.lastname@example.org... > Dear Eric Fitzgerald and others who responded to audit > questions, > > On many threads you have explained about event IDs 681, > 529 and error code 3221225572, e.g.: > > "681 is a failure event (account logon failure) in > the "Account Logon" > category of audits- it's generated when a security package > authenticates > your credentials. This occurs on the machine > authoritative for the account > being used- the local machine in the case of local > accounts ..." > > This is all good, but I noticed that you MS guys never > answer main question asked by hundreds of people: is it a > security problem? Is it a hacking? Shall we worry? What > shall be done, if anything? > > My problem is similar to others: on my W2k Pro workstation > I receive dozens logon failure audits per day about logon > attempts onto my machine's "default" account (does not > exist on my machine) from several workstations on our LAN, > and even from outsiders, with the event IDs 681, 529 and > error code 3221225572. It happens even over night, when > nobody is present and I am logged off. Two machines do it > much more often than others (both are Win ME). I checked > one - it is not infected. Could you please explain in > plain, user-friendly terms - what these logons mean in > terms of security? Norma or hacking attacks? Shell we do > something about it? How to stop it? > > Please answer to my e-mail in addition to posting in > threads - I may miss it there. > > Thank you in advance, > > EAK