Re: Bad login alerts
- From: "Sasha" <news@xxxxxxxxxx>
- Date: Tue, 21 Aug 2007 19:36:57 +0100
LOL... hello Manfred and thank you for your contribution.
However, the mentioned ' DOC-MAIL' is not in our network, no user, no pc and
no server.
This is an external pc / server somewhere.
Once again, thanks for any assistance / insight you can give.
My Site has SBS 2003 Premium.
"Manfred Zhuang [MSFT]" <v-mzhuan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:4NlnQk$4HHA.4200@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello Sasha,
Thank you for your reply and I am sorry for the delay.
My colleague Robert currently is out of office and I will step in this
thread.
From your post, I understand that you would like to know what behavior
caused the log you posted:
Logon Failure:
Reason: Unknown user name or bad password
User Name: DOC-MAIL$
Domain: DOC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DOC-MAIL
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Please understand that when you join a computer to a domain, a
computername$ account is created. (For your computer is DOC-MAIL$).
There are several running processes on the SBS server that will attempt to
connect using the machine account. One of the most active is the Microsoft
Exchange Routing Engine.
This behavior can happen when the machine password is not properly sync.
Let's perform following step to reset the machine account password of a
domain controller:
NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
For example:
NOTE: Please run the command on the server named DOC-MAIL
NETDOM RESETPWD /Server:DOC-MAIL /UsedD:Administrator
/PasswordD:ThePasswordForAdministratorAccount
After that, please restart the server.
Please try the above steps at your earliest convenience. If you have any
concern, please feel free to let me know.
Best regards,
Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| From: "Teneo" <not@xxxxxxxx>
| References: <Ow4ZWMD4HHA.1824@xxxxxxxxxxxxxxxxxxxx>
<7IC5mTM4HHA.2340@xxxxxxxxxxxxxxxxxxxxxx>
<#wP2mpN4HHA.3684@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Bad login alerts
| Date: Fri, 17 Aug 2007 15:39:13 +0100
| Lines: 203
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| X-RFC2646: Format=Flowed; Response
| Message-ID: <ObDVgxN4HHA.4436@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: mail.sxcomputers.co.uk 217.34.35.237
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:57211
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have reviewed the links but do not find them intuitive as they refer
to
NT
| and 2000 ?
|
|
| "Teneo" <not@xxxxxxxx> wrote in message
| news:%23wP2mpN4HHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
| > Hello Robert
| >
| > Thank you for your post.
| >
| > I think there is a little confusion, I am aware of a RDP unsuccessful
| > attempt but my post was enquiring about the log entry with the DOC
in
| > the security log.
| >
| > I am wondering what type of connection my orignal example is as there
is
| > very little information presented. My second example showed an
| > unsuccessful RDP connection which gives us alot of useful information
and
| > I would like to add that an external unsuccessful RDP connection does
give
| > the source network address. This has been very useful tracking down
| > infected server/pcs.
| >
| >
| >
| >
| > "Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > news:7IC5mTM4HHA.2340@xxxxxxxxxxxxxxxxxxxxxxxxx
| >> Hi Sasha,
| >>
| >> Thanks for sharing your wonderful experience here.
| >>
| >> When a unsuccessful RWW or RDP logon occurs, Event ID 529 is recorded
in
| >> the Security log. In the logs, you can see the following content:
| >>
| >> Logon Failure:
| >> Reason: Unknown user name or bad password
| >> User Name: DOC-MAIL$
| >> Domain: DOC
| >> Logon Type: 3
| >> Logon Process: NtLmSsp
| >> Authentication Package: NTLM
| >> Workstation Name: DOC-MAIL
| >> Caller User Name: -
| >> Caller Domain: -
| >> Caller Logon ID: -
| >> Caller Process ID: -
| >> Transited Services: -
| >> Source Network Address: -
| >> Source Port: -
| >>
| >> When your RDP to server from Internet, this is expected behavior,
because
| >> the firewall get rid of the information of Source Network Address,
| >> Source
| >> Port and so on. When you RDP from internal, you can see Source
Network
| >> Address, Source Port, because the traffic doesn't pass firewall.
| >>
| >> Logon Failure:
| >> Reason: Unknown user name or bad password
| >> User Name: aaaaaaaaa
| >> Domain: SERVER
| >> Logon Type: 3
| >> Logon Process: Advapi
| >> Authentication Package: Negotiate
| >> Workstation Name: SERVER
| >> Caller User Name: IUSR_SERVER
| >>
| >> The RWW depends on IIS, all the logon attempt starts from IIS, not
from
| >> client workstation, so you can see the server is SERVER and user name
is
| >> IUSR_SERVER.
| >>
| >> I'd like to give you more information on the process NTLMSSP and
Advapi.
| >>
| >> NTLMSSP is a security support provider that is available on all
versions
| >> of
| >> DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol
for
| >> authentication. NTLM never actually transmits the user's password to
the
| >> server during authentication.
| >>
| >> More info:
| >>
| >> NTLMSSP
| >> http://msdn2.microsoft.com/en-us/library/ms691272.aspx
| >>
| >> Process Advapi is triggered by a call to LogonUser; LogonUser calls
| >> LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName,
| >> identifies the origin of the logon attempt.
| >>
| >> More info:
| >>
| >> How to troubleshoot Kerberos-related issues in IIS
| >> http://support.microsoft.com/kb/326985
| >>
| >> Hope this helps.
| >>
| >> If you have any concern on this issue, please don't hesitate to let
me
| >> know.
| >>
| >> Best regards,
| >>
| >> Robert Li(MSFT)
| >>
| >> Microsoft CSS Online Newsgroup Support
| >>
| >> Get Secure! - www.microsoft.com/security
| >>
| >> =====================================================
| >>
| >> This newsgroup only focuses on SBS technical issues. If you have
issues
| >> regarding other Microsoft products, you'd better post in the
| >> corresponding
| >> newsgroups so that they can be resolved in an efficient and timely
| >> manner.
| >> You can locate the newsgroup here:
| >> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >>
| >> When opening a new thread via the web interface, we recommend you
check
| >> the
| >> "Notify me of replies" box to receive e-mail notifications when there
are
| >> any updates in your thread. When responding to posts via your
newsreader,
| >> please "Reply to Group" so that others may learn and benefit from
your
| >> issue.
| >>
| >> Microsoft engineers can only focus on one issue per thread. Although
we
| >> provide other information for your reference, we recommend you post
| >> different incidents in different threads to keep the thread clean. In
| >> doing
| >> so, it will ensure your issues are resolved in a timely manner.
| >>
| >> For urgent issues, you may want to contact Microsoft CSS directly.
Please
| >> check http://support.microsoft.com for regional support phone
numbers.
| >>
| >> Any input or comments in this thread are highly appreciated.
| >>
| >> =====================================================
| >>
| >> This posting is provided "AS IS" with no warranties, and confers no
| >> rights.
| >>
| >> --------------------
| >> <From: "Sasha" <news@xxxxxxxxxx>
| >> <Subject: Bad login alerts
| >> <Date: Thu, 16 Aug 2007 19:27:23 +0100
| >> <Lines: 40
| >> <X-Priority: 3
| >> <X-MSMail-Priority: Normal
| >> <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| >> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| >> <X-RFC2646: Format=Flowed; Original
| >> <Message-ID: <Ow4ZWMD4HHA.1824@xxxxxxxxxxxxxxxxxxxx>
| >> <Newsgroups: microsoft.public.windows.server.sbs
| >> <NNTP-Posting-Host: mail.sxcomputers.co.uk 217.34.35.237
| >> <Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| >> <Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.sbs:56935
| >> <X-Tomcat-NG: microsoft.public.windows.server.sbs
| >> <
| >> <Hi all
| >> <If someone tries an ussuccesful RDP attempt on server much helpful
info
| >> is
| >> <recorded, especially IP address.
| >> <Seeing some login alerts of the below where limited info is
recorded..
| >> Its
| >> <this NtLMSsp logon process
| >> <
| >> <Logon Failure:
| >> <Reason: Unknown user name or bad password
| >> <User Name: DOC-MAIL$
| >> <Domain: DOC
| >> <Logon Type: 3
| >> <Logon Process: NtLmSsp
| >> <Authentication Package: NTLM
| >> <Workstation Name: DOC-MAIL
| >> <Caller User Name: -
| >> <Caller Domain: -
| >> <Caller Logon ID: -
| >> <Caller Process ID: -
| >> <Transited Services: -
| >> <Source Network Address: -
| >> <Source Port: -
| >> <
| >> <Username / Domain and workstation name have no relation to site
where
| >> server
| >> <recorded this.
| >> <
| >> <I thought it maybe an RWW attempt but this gives:-
| >> <Logon Failure:
| >> <Reason: Unknown user name or bad password
| >> <User Name: aaaaaaaaa
| >> <Domain: SERVER
| >> <Logon Type: 3
| >> <Logon Process: Advapi
| >> <Authentication Package: Negotiate
| >> <Workstation Name: SERVER
| >> <Caller User Name: IUSR_SERVER
| >> <
| >> <TIA, have a great day / night depending wherever you are... ;-)
| >> <
| >> <
| >> <
| >> <
| >>
| >
| >
|
|
|
.
- Follow-Ups:
- Re: Bad login alerts
- From: Manfred Zhuang [MSFT]
- Re: Bad login alerts
- References:
- Bad login alerts
- From: Sasha
- RE: Bad login alerts
- From: Robert Li [MSFT]
- Re: Bad login alerts
- From: Teneo
- Re: Bad login alerts
- From: Teneo
- Re: Bad login alerts
- From: Manfred Zhuang [MSFT]
- Bad login alerts
- Prev by Date: RE: Default from address when replying from someone elses mailbox
- Next by Date: Re: Problems adding a File Server to SBS-2003 ...
- Previous by thread: Re: Bad login alerts
- Next by thread: Re: Bad login alerts
- Index(es):
Relevant Pages
|
