Re: Event id's 529 and 681
From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 07/22/03
- Next message: Steven L Umbach: "Re: Can't add user permissions from folder window, can from Computer Mgmt console"
- Previous message: Christian Raymond: "local admin can join computer to domain"
- In reply to: Rob Brown: "Event id's 529 and 681"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jul 2003 19:20:44 GMT
It could be a curious user trying to see what he can access in Network
Places, and yes he will get a denied access on his end and you will see the
failed audits as shown in your post. I would not be too concerned unless
you see a large number of these from the same workstation in a short period
of time which could indicate malicious activity. Now if you see the same
type of failed audits and the workstation and/or domain names are
unrecognizeable that would indicate an attack from an untrusted network. A
properly configured firewall should prevent that. You can go to
http://scan.sygatetech.com/ to test your basic firewall vulnerability. ---
Steve
"Rob Brown" <rob@vunetusa.com> wrote in message
news:eioSTCIUDHA.560@TK2MSFTNGP10.phx.gbl...
> I have a few workstations that occasionally generate a pair of event id's
> 529 and 681 across every server on my domain. (SEE BELOW)
> The configuration is:
> Servers members of SERVERS domain.
> Desktops members of WORKGROUP. Not members of SERVERS domain.
> Desktops are on different subnet than servers. Users do not have local
> accounts on servers.
>
> I HAVE virus scanned the machines and not found any virus.
> What else would cause the workstations to try to authenticate to every
> server?
> Would a user browsing the SERVERS domain with network neighborhood cause
> this?
> I know that these are probably "normal" failure events, but am wondering
if
> there is a way to "weed out" the known workstations from malicious
attempts
> from outside, since in this case, they generate the same error signatures.
>
>
> ===========================
> These 2 events are generated at the same time across all machines on the
> domain:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 7/21/2003
> Time: 3:02:33 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER1
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Someuser
> Domain: WORKSTATION1
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: WORKSTATION1
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 7/21/2003
> Time: 3:02:33 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER1
> Description:
> The logon to account: Someuser
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: WORKSTATION1
> failed. The error code was: 3221225572
>
>
>
- Next message: Steven L Umbach: "Re: Can't add user permissions from folder window, can from Computer Mgmt console"
- Previous message: Christian Raymond: "local admin can join computer to domain"
- In reply to: Rob Brown: "Event id's 529 and 681"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
