Re: Failure Audit Question
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: Sat, 24 Sep 2005 19:01:31 -0700
Notice it negotiated use of Ntlm. No way is this going to happen
over Tcp port 25. Thus, you have a machine attached to / accessing
the inner side of that DMZ firewall.
"David Levine" <DavidLevine@discussions.microsoft.com> wrote in message
> Hi all,
> I am looking though my Security log on a Windows 2000 sp4 server that has
> Exchange 2000 running on it. The system is located in a DMZ, and only port
> is allowed through our firewall to it.
> I am however noticing a bunch of failure audits as such:
> EventID 529
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: ALTHEA$
> Domain: AWM
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: ALTHEA
> EventID 681
> The logon to account: ALTHEA$
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: ALTHEA
> failed. The error code was: 3221225572
> The computer names and domain names in these log messages do not mean
> anything to me, and are not a part of our private AD domain... and I am
> sure of what the next step should be? If we are on a private LAN (with no
> visitors) and only port 25 is allowed to the server from the outside
> where could it be getting these workstation logon attempts from?
> Thanks for any advice...