Re: Failure Audit Question

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 09/25/05

  • Next message: Galen: "Re: how do I delete administrative password in Win 2000 professional?"
    Date: Sat, 24 Sep 2005 19:01:31 -0700
    
    

    Notice it negotiated use of Ntlm. No way is this going to happen
    over Tcp port 25. Thus, you have a machine attached to / accessing
    the inner side of that DMZ firewall.

    "David Levine" <DavidLevine@discussions.microsoft.com> wrote in message
    news:564CF8F0-8F01-42BD-A6CD-DA6E5CE43A4C@microsoft.com...
    > Hi all,
    >
    > I am looking though my Security log on a Windows 2000 sp4 server that has
    > Exchange 2000 running on it. The system is located in a DMZ, and only port
    > 25
    > is allowed through our firewall to it.
    >
    > I am however noticing a bunch of failure audits as such:
    >
    > EventID 529
    > Logon Failure:
    > Reason: Unknown user name or bad password
    > User Name: ALTHEA$
    > Domain: AWM
    > Logon Type: 3
    > Logon Process: NtLmSsp
    > Authentication Package: NTLM
    > Workstation Name: ALTHEA
    > --and--
    > EventID 681
    > The logon to account: ALTHEA$
    > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > from workstation: ALTHEA
    > failed. The error code was: 3221225572
    >
    > The computer names and domain names in these log messages do not mean
    > anything to me, and are not a part of our private AD domain... and I am
    > not
    > sure of what the next step should be? If we are on a private LAN (with no
    > visitors) and only port 25 is allowed to the server from the outside
    > world,
    > where could it be getting these workstation logon attempts from?
    >
    > Thanks for any advice...


  • Next message: Galen: "Re: how do I delete administrative password in Win 2000 professional?"