Re: Mysterious login failures
From: Al Yankovich (weirdwiredw_at_hotmail.com)
Date: 06/28/03
- Next message: Eric Fitzgerald [MSFT]: "Re: Auditing Clear All Events in the Event Viewer"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Too much auditing?"
- In reply to: Steven L Umbach: "Re: Mysterious login failures"
- Next in thread: Steven L Umbach: "Re: Mysterious login failures"
- Reply: Steven L Umbach: "Re: Mysterious login failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Jun 2003 18:32:37 -0700
"Steven L Umbach" <n9rou@attbi.com> wrote in message news:<Lg8Ka.10661$R73.2779@sccrnsc04>...
> These could possibly just be curious people who see your computer in
> Network Places and click it to see if there are any shares available, or
> possibly think they are supposed to use your share, etc. When someone does
> that, your computer tries to authenticate them and a logon failure shows if
> they do not have any account with permissions to resources on your machine.
> I would not worry about it unless there are patterns that indicate more than
> a few failures from the same user in a short period of time or if you see
> someone trying to access the administrator or other accounts that exist on
> your machine but are failing because of numerous bad password guesses.
> There are also security settings/user rights assignments, that can determine
> who can access your computer from the network in Local Security Policy. ---
> Steve
<snip>
I can rule out the "curious people" possibility since I have spoken to
some of the people whose computers are trying to log into my computer,
and they are not doing anything of the sort.
That seems to leave two possibilities. One is some kind of normal W2K
activity that results in failed logins. The main evidence against that
would be that at least one of the probes is coming from someone in a
completely different workgroup. If it was normal Windows behavior that
spans workgroups, it seems I should be receiving probes from all of
the other workgroups, and that includes far more computers than in my
own workgroup. However, most of the failed logins (probes?) are coming
from the small number of computers within my workgroup (but only
certain ones).
The other possibility is some kind of network worm or virus. If so, it
is a very low activity one, and in that case it might be something
that is trying to exploit the locality of corporate networks. For
example, though I'm not sharing any resources now, in the past I have
shared a printer, and for that purpose I created some accounts on my
machine with the names of other users within my workgroup. It might be
looking for such accounts with the intent to do something more
isidious with them.
- Next message: Eric Fitzgerald [MSFT]: "Re: Auditing Clear All Events in the Event Viewer"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Too much auditing?"
- In reply to: Steven L Umbach: "Re: Mysterious login failures"
- Next in thread: Steven L Umbach: "Re: Mysterious login failures"
- Reply: Steven L Umbach: "Re: Mysterious login failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
