Re: What is NtLmSsp?
From: Steven L Umbach (n9rou@attbi.com)
Date: 04/15/03
- Next message: Guogang: "Uninstall ISA cause Certificate Server problem"
- Previous message: snakpak: "Re: *asp failure after installing Hotfix MS02-010/Q331953"
- In reply to: Jason Cochrane: "What is NtLmSsp?"
- Next in thread: Peter K.: "Re: What is NtLmSsp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <n9rou@attbi.com> Date: Tue, 15 Apr 2003 01:16:33 GMT
Someone is trying to log onto that computer as administrator from
the network. It could be the internet or a lan computer. NtLmSsp means it is
trying to use ntlm to log on, which pretty much rules out W2K/XP domain
machines if you have a domain. Try to ping computername. If it on lan you
will probably resolve it if computer is still on and connected. If you are
connected to the internet and do not have a firewall, you need one. If it is
coming from the lan you should be able to track them down and do whatever it
is you do to people trying that stuff. To catch a lan hacker you could
configure a software firewall on your computer and log activity on ports 139
and 445 and compare entries in firewall log to failed authentication
attempts. --- Steve
http://securityadmin.info/faq.htm#firewalls
http://securityadmin.info/faq.htm#harden
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/htm/sec
urity_9qgg.asp
"Jason Cochrane" <jason@*spam*dpskc.com> wrote in message
news:e6bcJksADHA.1888@TK2MSFTNGP12.phx.gbl...
> In my Security Log, I have several failed attempts to logon to my network.
> Here is an example of the Event Properites:
>
> ***************************
> Type: Failure
> User: NT AUTHORITY\SYSTEM
> Source: Security
> Category: Logon/Logoff
> Event ID: 529
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: ALAN
> Logon Type: 3
> Logon Process NtLmSsp
> Authentication Package: NTLM
> Workstation Name: \\ALAN
>
> **********************************************
>
> I would like to find out what IP this person is using so I can block it,
or
> find out where it is coming from. What is the logon process NtLmSsp? I
> have not seen this phrase before. Also, how can I block people from
trying
> this?
>
> Thx,
>
> Jason
>
>
- Next message: Guogang: "Uninstall ISA cause Certificate Server problem"
- Previous message: snakpak: "Re: *asp failure after installing Hotfix MS02-010/Q331953"
- In reply to: Jason Cochrane: "What is NtLmSsp?"
- Next in thread: Peter K.: "Re: What is NtLmSsp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
