Re: Account Logon Time Restriction

After playing “workstation roulette” it appears I have multiple problems: a
VPN user’s home computer working its way through our user names, a few repeat
IP addresses trying their hand at logging in as ‘administrator’, and random
“drive by” attacks on ports 21 & 25.

I’ll be exorcising the demons from the VPN user’s home computer myself and
I’ve redirected the incoming activity on ports 21 & 25 to a nonexistent IP
address on our network. I’m also documenting the ‘repeat offenders’ in case
we choose to move forward with blocking them at our ISP or taking legal
action.

Thanks for your help,
James

"Roger Abell [MVP]" wrote:

"workstation isolation" sounds potentially productive.
Make sure that you scan the involved machines with multiple
malware detectors.


"James B" <JamesB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B0AFA34E-BEC8-40F6-925E-34877C1A6A36@xxxxxxxxxxxxxxxx
I found matching entries in the Security event log. Some look like they are
coming from the server itself, and some from a workstation, but only when
a
specific workstation is on. I may have to try some 'workstation isolation'
to
determine if one is really trying to login via another.

BTW, I posted my question to the ISA newsgroup too.


Thanks,
James

"Roger Abell [MVP]" wrote:

If you are seeing this in the ISA logs then, since ISA rather than
Windows
is intercepting the attempt, you probably should post to an ISA newsgroup
where someone may give you some ISA specific ideas on what to do to
collect more info.
In general, Windows failed event logging for Windows 2000 is not of
much use in determining the origin of an attempt unless you happen to
recognize the Netbios names for the origin that do get recorded in the
security log failure events.

"James B" <JamesB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D85BE182-81B4-4EE4-A4BE-207F3F7DEFEA@xxxxxxxxxxxxxxxx
Hi,
I just noticed a similar problem, though I have no idea where to look
for
the details on what the source of this is. I see the failed logins
listed
in
the ISA Security Report. Where do I find the details/IP address of the
source
of these failed logins?

BTW, we have SBS 2000 if that makes a difference.


Thanks,
James


"LDD15" wrote:

We are operating SBS2003. Today I noted that there where over 1000
login
failures for one particular user. This user was not on the premisis
during
the hours when these occured. I noticed that the Failure audit had a
type
3
which indicates that someone tried to log on over the network. Another
interesting point is that the failure audit indicates that the user
name
and
password were correct. I assume however, based upon the quantity of
attemtpts
that someone is doing this with a script. How should I proceed?

Thanks.






.