Security Event Log Failure Audit 681

From: Mark (junior_8012_at_hotmail.com)
Date: 07/01/04

• Next message: Joe Richards [MVP]: "Re: will the TGT destroyed if user locks windows"
• Previous message: Ringo Langly: "Re: Possible Virus or worm -- suggestions please!!!"
• Next in thread: Michele: "Security Event Log Failure Audit 681"
• Reply: Michele: "Security Event Log Failure Audit 681"
• Reply: Steven Umbach: "Re: Security Event Log Failure Audit 681"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 1 Jul 2004 08:49:47 -0700

We have been getting 100's of these Failure Audit logs on a daily
basis in our security event log for the past couple weeks. They are
showing up on our win 2000 sp4 application/database server. The user
is a current domain user but not a local user on the server. The
workstation however is not in our domain. What is bothering me is
that is trying to login from a machine that has the same name as a
current user. I have scanned for viruses and spyware on both the
server and the user's workstation, but came up empty on both searches.

The server is part of a 2000 domain and the user logs into a NT
domain. The user doesn't have a mapped drive to the server, but
accesses our main application that resides on the server on a daily
basis.

Below is an example of what we have been seeing.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 6/11/2004
Time: 6:12:17 AM
User: NT AUTHORITY\SYSTEM
Computer: Server-1 <---(Application/DB server)
Description:
The logon to account: NICKH <---(current user)
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: \\NICKH <---(not a current workstation)
 failed. The error code was: 3221225572

Thanks in advance for any advise,

---

• Next message: Joe Richards [MVP]: "Re: will the TGT destroyed if user locks windows"
• Previous message: Ringo Langly: "Re: Possible Virus or worm -- suggestions please!!!"
• Next in thread: Michele: "Security Event Log Failure Audit 681"
• Reply: Michele: "Security Event Log Failure Audit 681"
• Reply: Steven Umbach: "Re: Security Event Log Failure Audit 681"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: isa 2004 & external website access issue ... emailed the logs to you as requested. ... each web server has its own public IP ... > headers in ISA Server ... > 'Microsoft Firewall' service. ... (microsoft.public.windows.server.sbs) RE: Exchange Server ... I researched your logs and found the MSExchangeTransport events 4006, 969, ... Right click Default SMTP Virtual Server and select Properties. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) RE: OWA 2003 with ISA 2004 ... OWA externally. ... i can login by any user. ... 825763 How to configure Internet access in Windows Small Business Server ... g. Reproduce this issue and send the logs to me. ... (microsoft.public.windows.server.sbs) RE: OWA 2003 with ISA 2004 ... I understand that you can not login OWA from ... 825763 How to configure Internet access in Windows Small Business Server ... g. Reproduce this issue and send the logs to me. ... and then right click 'Microsoft Firewall' to ... (microsoft.public.windows.server.sbs) RE: VPN, RRAS & DHCP ... After researching your logs, I found the Event ID 20169 ... Please try to set RemoteAccess service to depend on the DHCP server ... Reboot the server to see whether the issue still occurs. ... The problem occurred after you install ISA server. ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2004-07