Re: Another security question/issue.
- From: "kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Mar 2008 19:29:45 -0700
Please post the complete events including event id and accounts numbers.
There should really be nothing in there that would be an issue for public
posting.
For the Mdaemon, that would be typical of a third party email product. If it
exists on your SBS server then it should be by intent, not by accident.
The first event is missing the username and logon process appears 'munged'.
In example 2, adavpi is IIS if that helps.
sbsstarter wrote:
Here are posts of the failed login attempts:
22 occurrences
Logon Failure:
Reason: Account currently disabled
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: MYSERVER-SBS
Caller User Name: MYSERVER-SBS$
Caller Domain: MYSERVER
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 876
Transited Services: -
Source Network Address: -
Source Port: -
--and--
Logon Failure:
Reason: Unknown user name or bad password
User Name: MDaemon
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MYSERVER-SBS
Caller User Name: MYSERVER-SBS$
Caller Domain: MYSERVER
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1492
Transited Services: -
Source Network Address: -
Source Port: -
and, no I have not changed the administrator account password, but I
have changed the password of the active administrative user account.
"kj [SBS MVP]" wrote:
sbsstarter wrote:
Ok; I get daily hits to the disabled admin account. Event log tells
me they are denied access. First, I was told the reason the attempts
are higher than my lockout policy is because policies don't apply to
admin account - correct? How can I find out who is making these
attempts and how I can deny that individual access? The most
annoying instance happens very close to the same time every morning
at about 4:00 a.m. The logs don't give an address of the user
trying the attempted logins. What are my options?
Post an example of your failed logon attempt.
Is your administrator account 'disabled' by choice, or are you
saying it's disabled by lockout policy?
While this may be an external cause, it may also be an internal
driven event. Did you change the administrator password lately?
Policy applies to all accounts, but the administrator has some
protections against denying the true administrator (person) from
gaining access to the server.
Second, if the account is obviously disabled, why would a hacker
keep attempting to access it? It's not going to work...right?
Third, I've been noticing fail authentication attempts with the user
name MDaemon. Is that an actual service that I need to deal with, or
is it an attempt at unauthorized access?
Post one of these too.
Finally....if I've closed all ports except 25 TO the SBS box from my
external firewall appliance, why am I still seeing failed
authentication attempts on a daily basis? Is it possible to attempt
a login through port 25 which is designated for exchange?
--
/kj
--
/kj
.
- Follow-Ups:
- Re: Another security question/issue.
- From: robbie . desutter
- Re: Another security question/issue.
- References:
- Another security question/issue.
- From: sbsstarter
- Re: Another security question/issue.
- From: kj [SBS MVP]
- Re: Another security question/issue.
- From: sbsstarter
- Another security question/issue.
- Prev by Date: Re: # of RDPs and console
- Next by Date: Re: SBS 2K3 Standard Exchange Issue
- Previous by thread: Re: Another security question/issue.
- Next by thread: Re: Another security question/issue.
- Index(es):
Relevant Pages
|
