Re: Logon Failures
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Wed, 08 Aug 2007 10:07:50 GMT
Hello Jesse,
Thank you for kind update.
The log 537 is come with 529, we have to resolve the 529 first. Then, the
537 will disappear.
Additional, if you have ISA server 2004 on your SBS, you can look at all
the event 529, if you find the "Source Network Address" are the same IP,
you can create ISA access rule to block the traffic from the IP.
Please open the ISA management console, navigate to Firewall Policy, right
click "Firewall Policy" and click New->Access Rule, then create a new
access rule as following:
Rule name: block attack traffic
Rule Action: Deny
Protocols: All outbound traffic
Sources: The IP in the log
Destination: Anywhere
User Sets: All Users
Then move this rule to the top and click Apply to save all the settings.
I hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: JAH <jslost@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Logon Failures
| Date: Tue, 07 Aug 2007 09:31:56 -0700
| Organization: http://groups.google.com
| Lines: 36
| Message-ID: <1186504316.082071.3530@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1186418138.003703.155640@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <F7LrseK2HHA.4100@xxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 75.144.30.97
| Mime-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| X-Trace: posting.google.com 1186504318 31094 127.0.0.1 (7 Aug 2007
16:31:58 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Tue, 7 Aug 2007 16:31:58 +0000 (UTC)
| In-Reply-To: <F7LrseK2HHA.4100@xxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: g12g2000prg.googlegroups.com; posting-host=75.144.30.97;
| posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed.
cw.net!cw.net!news-FFM2.ecrc.de!news.glorb.com!postnews.google.com!g12g2000p
rg.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:54993
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Terence,
|
| Thank you for your assistance. I checked the Event sucurity logs and
| determined the event ID is 529. This person tried a total of 10 times
| within ten minutes to logon to our server with usernames,
| administrator, admin, pos, and pos1. I am going to implement the
| steps and hope to secure the server more. If you hae any additional
| comments please let me know.
|
| I am also getting more logon errors daily, although not as
| descriptive. Here is what the error is, are they related to the 529
| logon attempts?:
|
| Security 537 8/6/2007 9:38 PM 34 *
| Logon Failure:
| Reason: An error occurred during logon
| User Name:
| Domain:
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name: -
| Status code: 0xC000006D
| Substatus code: 0xC0000133
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: -
| Source Port: -
|
| Thank you,
|
| Jesse
|
|
.
- Follow-Ups:
- Re: Logon Failures
- From: Terence Liu [MSFT]
- Re: Logon Failures
- References:
- Logon Failures
- From: JAH
- Re: Logon Failures
- From: JAH
- Logon Failures
- Prev by Date: SBS2003 Wizards
- Next by Date: RE: SBS With external Terminal Server
- Previous by thread: Re: Logon Failures
- Next by thread: Re: Logon Failures
- Index(es):
Relevant Pages
|
