Re: Failure Audit Question

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 09/25/05

  • Next message: Galen: "Re: how do I delete administrative password in Win 2000 professional?"
    Date: Sat, 24 Sep 2005 19:01:31 -0700
    
    

    Notice it negotiated use of Ntlm. No way is this going to happen
    over Tcp port 25. Thus, you have a machine attached to / accessing
    the inner side of that DMZ firewall.

    "David Levine" <DavidLevine@discussions.microsoft.com> wrote in message
    news:564CF8F0-8F01-42BD-A6CD-DA6E5CE43A4C@microsoft.com...
    > Hi all,
    >
    > I am looking though my Security log on a Windows 2000 sp4 server that has
    > Exchange 2000 running on it. The system is located in a DMZ, and only port
    > 25
    > is allowed through our firewall to it.
    >
    > I am however noticing a bunch of failure audits as such:
    >
    > EventID 529
    > Logon Failure:
    > Reason: Unknown user name or bad password
    > User Name: ALTHEA$
    > Domain: AWM
    > Logon Type: 3
    > Logon Process: NtLmSsp
    > Authentication Package: NTLM
    > Workstation Name: ALTHEA
    > --and--
    > EventID 681
    > The logon to account: ALTHEA$
    > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    > from workstation: ALTHEA
    > failed. The error code was: 3221225572
    >
    > The computer names and domain names in these log messages do not mean
    > anything to me, and are not a part of our private AD domain... and I am
    > not
    > sure of what the next step should be? If we are on a private LAN (with no
    > visitors) and only port 25 is allowed to the server from the outside
    > world,
    > where could it be getting these workstation logon attempts from?
    >
    > Thanks for any advice...


  • Next message: Galen: "Re: how do I delete administrative password in Win 2000 professional?"

    Relevant Pages

    • Re: Another security question/issue.
      ... There are now MASSIVE attacks on port 25 all over the world. ... is trying to hack port 25, hack server / try to relay. ... Logon Process: Advapi ... Caller User Name: servername$ ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS SP2 w/ISA Error 529
      ... When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10. ... Source port isn't the same as the port your server is listening on. ... Why is my server unable to lock out the Administator account?? ... > Caller User Name: MOBILE01$ ...
      (microsoft.public.windows.server.sbs)
    • Re: Using Remote Desktop From an SBS Domain
      ... It goes into detail about how to set the host computer up (the ... the port number you connect to from 80 to a port of your choice. ... machine is on a University network and has a public IP address assigned ... trying to logon to my SBS. ...
      (microsoft.public.windows.server.sbs)
    • Re: Been hacked about 4 times now. Wanna be the 5th?
      ... So you mean your firewall blocks all outbound access other than to port 80 ... users can logon to your server. ... Caller User Name: KINGSERVER2000$ ...
      (microsoft.public.windows.server.security)
    • Re: Using Remote Desktop From an SBS Domain
      ... Then obviously create the port forward in your router on your chosen port to ... machine is on a University network and has a public IP address assigned to ... trying to logon to my SBS. ... Some history about my Internet connection. ...
      (microsoft.public.windows.server.sbs)