Re: Unexplained Failed Logins

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Thu, 18 Jan 2007 18:47:09 -0700

---

Local login does not allow happen only via the console/keyboard.
For a couple examples, IIRC with W2k a terminal services login is
a local login, or will all version of OS an authentication via Front
Page for web authoring is a local login (although the event log entries
you post would not fit the FrontPage pattern).
So, you may want to examine the external network exposures.

"James B" <JamesB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1B88238B-A7D8-4C05-98B7-60C1024B985C@xxxxxxxxxxxxxxxx

Hi,
While reviewing our system Security event log (Win2K SBS) I found 3
failed
login attempts that appear to have occurred at the server itself. The
problem
is that according to the alarm system log no one was in the building for
hours before or after the times of the failed logins.

The first one was at 1:53 am, the next at 2:19 am and the last at 2:33
am.
According to the info in the MS kb, 'logon type 2' is from the keyboard
and
not a network login, which would mean that it happened at my server.

Anyone have any ideas?

James

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 1/17/2007
Time: 1:53:05 AM
User: NT AUTHORITY\SYSTEM
Computer: MAIN-SERVER
Description:
Authentication Ticket Request Failed:
User Name: test
Supplied Realm Name: NETWORKDOMAIN
Service Name: krbtgt/NETWORKDOMAIN
Ticket Options: 0x40810010
Failure Code: 0x6
Client Address: 127.0.0.1

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/17/2007
Time: 1:53:05 AM
User: NT AUTHORITY\SYSTEM
Computer: MAIN-SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: test
Domain: NETWORKDOMAIN
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: MAIN-SERVER

.

---

• Prev by Date: Re: Backing up user accounts
• Next by Date: Re: Unexplained Failed Logins
• Previous by thread: Backing up user accounts
• Next by thread: Re: Unexplained Failed Logins
• Index(es):
  • Date
  • Thread

---

Relevant Pages [SLE] [Fwd: [suse-imap-e] Problems with smbpasswd, account_policy_get: tdb_fetch_uint32 failed for f ... logon drive = P: ... The English translation of the message was "Login Failure: ... I attempted to change the password of the user using smbpasswd and I ... Retype new SMB password: ... (SuSE) Re: Unknown Domain user - domain authentication appears limited ... (using cached login). ... Microsoft MVP (Windows Server System: Security) ... > due to the following error: Logon failure: the user has not been granted ... (microsoft.public.windows.server.security) Re: Recording and/or logging XP Login duration and activity ... X amount of time to the login duration. ... Any roaming profiles involved? ... Well - you could timestamp their logon scripts. ... CPU usage stays below a certain number? ... (microsoft.public.windowsxp.help_and_support) Re: Lightweight logon? Impersonation? - shared workstation problem ... seems to result in a lengthy logon. ... they are in the application in a couple seconds, upon entering their login ID ... "Joe Kaplan" wrote: ... You do need to do something to make sure the browser window is not reused by ... (microsoft.public.dotnet.framework.aspnet.security) Re: Permit only one network logon per user ... intend to prevent a second local login. ... allow a second connection to it using the same creds. ... network logon per user. ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2007-01