Rogue Workstation?
- From: john d <johnd@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 9 May 2006 10:00:01 -0700
I noticed the following entries in the Security log of one of my Windows
Domain Controllers this morning:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 5/9/2006
Time: 8:17:26 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: OWNER-W5T0
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 5/9/2006
Time: 8:17:25 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: OWNER-W5T0
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/9/2006
Time: 8:17:25 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: OWNER-W5T0
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: OWNER-W5T0
The workstation name is not one of a known machine on my network, nor am I
able to ping or find any DNS info regarding this workstation.
My question is two-fold:
1. My domain name is corp.com. Why would my domain controller log an
invalid attempt to log onto the Administrator account for an unknown
domain(See event 529 below)?
2. What are the some methods to detect rogue machines on the network?
I am not using DHCP. All ip addresses are static.
Thank you.
.
- Follow-Ups:
- Re: Rogue Workstation?
- From: Paul Williams [MVP]
- Re: Rogue Workstation?
- Prev by Date: Re: Multi-value attributes
- Next by Date: Re: New DC in Remote Site
- Previous by thread: DNS zone file not found error
- Next by thread: Re: Rogue Workstation?
- Index(es):
Relevant Pages
|
