Security event 675
From: bjong (piaa)
Date: 03/22/04
- Next message: Marlin Todd: "Stolen server with Windows 2003"
- Previous message: Gino: "Re: Restrict ODBC through group policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Mar 2004 09:51:14 +0800
A customer is using MOM to track failed account logins, the following events
are captured by MOM in one of the DC DC0001 (happened to be the PDC for that
domain):
Severity: Error
Status: New
Source: Logon Failed: privileged accounts
Name: Privileged Account Logon Failed: admin
Description: Pre-authentication failed:
User Name: admin
User ID:
%{S-1-5-21-606747145-117609710-839522115-500}
Service Name: krbtgt/domA
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.10.11
ß--------------------------------- this is another DC
Domain: OAHKEX
Agent: DC0001 ß----------------------------this is the PDC emulator
Time: 03/10/2004 17:47:27
Now what surprises the customer is that the client address (presumably the
computer that the account was trying to logon) is another DC 192.168.10.11.
which they confirm that no one attempted to login during that time. In my
memory when a password is entered and checked by the logon server, if the
password is wrong it will be passed to the PDC for validation, does the
above indicate such a case?
I tried to simulate such situation but found that a wrong password login
does not necessary generate the same 675 event in the PDC emulator, am I
missing something?
Thanks for any input.
- Next message: Marlin Todd: "Stolen server with Windows 2003"
- Previous message: Gino: "Re: Restrict ODBC through group policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
