Re: Need Help
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 4 Aug 2007 01:06:48 -0700
"BUC" <BUC@xxxxxxx> wrote in message
news:uXTTe0f1HHA.4428@xxxxxxxxxxxxxxxxxxxxxxx
I have set up WEB server (Windows 2003 SP2 with IIS) to host a site. While
looking through the security events audit. I noticed a large number of
FAILURE AUDITS with the MICROSOFT_AUTHENTICATION_PACKAGE_V1 and KRBTGT\
service. These audits have various logon user names like PETER, APPLE,
ROOT,
LISA, MASTER, DOG and other random names. It has the sourceworkstation =
the
computer name of my server, and it has an error code of 0xC0000064. I am
concerned. This happens for about a minute and stops during certain days.
What is this? Is it an inside or outside hijack. What can this do? Can it
control the computer.
Of course, this means you have exposed authentication interfaces
to the network(s) of origin. That you apparently see Kerberos use
attempts means these originate inside (or at least appear to be of
the same domain) or these are intended probe from your outside.
That you have only fail events means you have picked up one of
the numerous pests inhabiting the net, that you suffer their additive
drag against performance, that you are overexposed and/or have ill
machines, and that you are at risk to unpatched doors if flaws are
published/known in those authentication interfaces or the supporting
code to use them.
People either learn a fair stretch and fine tune accesses or take a
simple approach and only firewall.
Roger
.
- Prev by Date: Execute access to files from Terminal server
- Next by Date: Re: Recommendation for a good two-factor authentication product
- Previous by thread: Execute access to files from Terminal server
- Next by thread: Re: Certificate Services
- Index(es):
Relevant Pages
|
|
