Re: Failure Audit Question

• Previous message: zuke: "KIOSK MODE?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 Sep 2005 19:01:31 -0700

Notice it negotiated use of Ntlm. No way is this going to happen
over Tcp port 25. Thus, you have a machine attached to / accessing
the inner side of that DMZ firewall.

"David Levine" <DavidLevine@discussions.microsoft.com> wrote in message
news:564CF8F0-8F01-42BD-A6CD-DA6E5CE43A4C@microsoft.com...
> Hi all,
>
> I am looking though my Security log on a Windows 2000 sp4 server that has
> Exchange 2000 running on it. The system is located in a DMZ, and only port
> 25
> is allowed through our firewall to it.
>
> I am however noticing a bunch of failure audits as such:
>
> EventID 529
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: ALTHEA$
> Domain: AWM
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: ALTHEA
> --and--
> EventID 681
> The logon to account: ALTHEA$
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: ALTHEA
> failed. The error code was: 3221225572
>
> The computer names and domain names in these log messages do not mean
> anything to me, and are not a part of our private AD domain... and I am
> not
> sure of what the next step should be? If we are on a private LAN (with no
> visitors) and only port 25 is allowed to the server from the outside
> world,
> where could it be getting these workstation logon attempts from?
>
> Thanks for any advice...

• Previous message: zuke: "KIOSK MODE?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]