Re: Another security question/issue.
- From: sbsstarter <sbsstarter@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Mar 2008 18:15:01 -0700
Here are posts of the failed login attempts:
22 occurrences
Logon Failure:
Reason: Account currently disabled
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: MYSERVER-SBS
Caller User Name: MYSERVER-SBS$
Caller Domain: MYSERVER
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 876
Transited Services: -
Source Network Address: -
Source Port: -
--and--
Logon Failure:
Reason: Unknown user name or bad password
User Name: MDaemon
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MYSERVER-SBS
Caller User Name: MYSERVER-SBS$
Caller Domain: MYSERVER
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1492
Transited Services: -
Source Network Address: -
Source Port: -
and, no I have not changed the administrator account password, but I have
changed the password of the active administrative user account.
"kj [SBS MVP]" wrote:
sbsstarter wrote:.
Ok; I get daily hits to the disabled admin account. Event log tells
me they are denied access. First, I was told the reason the attempts
are higher than my lockout policy is because policies don't apply to
admin account - correct? How can I find out who is making these
attempts and how I can deny that individual access? The most annoying
instance happens very close to the same time every morning at about
4:00 a.m. The logs don't give an address of the user trying the
attempted logins. What are my options?
Post an example of your failed logon attempt.
Is your administrator account 'disabled' by choice, or are you saying it's
disabled by lockout policy?
While this may be an external cause, it may also be an internal driven
event. Did you change the administrator password lately?
Policy applies to all accounts, but the administrator has some protections
against denying the true administrator (person) from gaining access to the
server.
Second, if the account is obviously disabled, why would a hacker keep
attempting to access it? It's not going to work...right?
Third, I've been noticing fail authentication attempts with the user
name MDaemon. Is that an actual service that I need to deal with, or
is it an attempt at unauthorized access?
Post one of these too.
Finally....if I've closed all ports except 25 TO the SBS box from my
external firewall appliance, why am I still seeing failed
authentication attempts on a daily basis? Is it possible to attempt a
login through port 25 which is designated for exchange?
--
/kj
- Follow-Ups:
- Re: Another security question/issue.
- From: kj [SBS MVP]
- Re: Another security question/issue.
- References:
- Another security question/issue.
- From: sbsstarter
- Re: Another security question/issue.
- From: kj [SBS MVP]
- Another security question/issue.
- Prev by Date: Re: SBS 2K3 Standard Exchange Issue
- Next by Date: Re: SBS 2003 and Outlook RPC over HTTP issues
- Previous by thread: Re: Another security question/issue.
- Next by thread: Re: Another security question/issue.
- Index(es):
Relevant Pages
|
