Re: 681 and 529 auditing codes
From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 08/07/03
- Next message: admin: "locked out need help"
- Previous message: kevin: "681 and 529 auditing codes"
- In reply to: kevin: "681 and 529 auditing codes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 06 Aug 2003 23:46:36 GMT
It probably means your network is being enumerated from exposing
netbios/smb ports to the internet. From a network computer go to
http://scan.sygatetech.com/ and do at least a quick scan for basic
vulnerability to untrusted networks. If it shows you are vulnerable, you
need to reconfigure your firewall if you have one or get a firewall ASAP.
Check your network adapters that are directly connected to the internet [if
any] to see if they have file and print sharing enabled and if so disable or
uninstall it on those adapters. If you can not get a firewall ASAP, you may
try to configure ipsec filtering to block access from the internet and make
exception rules for required internet access as a temporary measure. ---
Steve
"kevin" <kalak76@yahoo.com> wrote in message
news:07c401c35c71$bcb0a960$a301280a@phx.gbl...
> Hi,
>
> Our accounts get locked out peridocially due to something
> attempting to login to the domain using dictionary
> attacks. This causes our accounts to lock out, even
> though we have no policy or GPOs set. We're getting a
> bunch of 681 and 529 audit events. I know it's from the
> outside because in the 681 event, it's coming from an
> unknown domain, attempting to log on as one of our valid
> user accounts.
>
> What is the cause of this, and why? And what can I do to
> prevent it immediately!??
>
> Thanks,
- Next message: admin: "locked out need help"
- Previous message: kevin: "681 and 529 auditing codes"
- In reply to: kevin: "681 and 529 auditing codes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
