RE: Security Logon Issues Using SBS 2003
- From: v-stezhu@xxxxxxxxxxxxxxxxxxxx (Steven Zhu [MSFT])
- Date: Fri, 26 May 2006 06:11:11 GMT
Hi Mark,
Thanks for posting here.
From your post, my understanding on this issue is: you receive the LogonFailure error message every 3 seconds in the Event Viewer. If I am off
base, please feel free to let me know.
As I know, besides the normal network logon failure which may be caused by
Application logon such as while outlook connect to Exchange server, this is
an automated dictionary attack on weak passwords. The hacker is trying
variable username/password (here it is calvin) combinations to access the
network. The attack can be initiated from internal network or external
network. According to the message, Logon type 8 means NetworkCleartext
(network logon with cleartext credentials). Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 is the default authentication package.
You can check to see which process handles the session. For example, in
this event, the process ID is 1744. Write down the process ID, Ctrl+Alt+Del
and click ''Task Manager''. In the task manager window, click ''Processes''
tab. Click ''View''-->''Select Columns''. Check ''PID (Process
Identifier)'' and click ''OK''. In the process list, find the process with
704 PID. What's the process?
Technically speaking, this is a normal behavior as you cannot prevent a
hacker from attacking your server. You can ignore the events as the attack
was unsuccessful. However, since it indicated the hacker attacking, I would
like to give the following action plan to improve the network security:
1. Scan virus on the workstations. Please use the anti-virus software to
perform full scan on the internal workstations. There is a online virus
scan link below:
http://housecall.trendmicro.com
2. Implement Strong password policies. Open ''Server Management console'',
navigate to Users snap-in. In the right panel, click ''Configure Password
Policies''. Enable the password policies.
For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
3. Monitor the internal users to see if anyone is testing the admin
accounts.
NOTE: This response contains a reference to a Third party World Wide Web
site. You should know that Third party sites are not under the control of
Microsoft. Accordingly, Microsoft can make no representation concerning
the content of these sites. Microsoft is providing this information only
as a convenience to you. This is to inform you that Microsoft has not
tested any software or information found on these sites and therefore
cannot make any representations regarding the quality, safety, or
suitability of any software or information found there. There are inherent
dangers in the use of any software found on the Internet, and Microsoft
cautions you to make sure that you completely understand the risk before
retrieving any software on the Internet.
I hope the above information helps.
Have a nice day.
Best Regards,
Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================
.
- Prev by Date: RE: SBS and Group policy
- Next by Date: Re: Outlook is needed during instaling SBS2003 with sp1 but I haven't it on my 5 CDs
- Previous by thread: RE: SBS and Group policy
- Next by thread: RE: Exchange Delivery Error message
- Index(es):
Relevant Pages
|
