• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

What does it mean logs on NT Security event viewer?

Hello!!

    I have a server NT4 SP6, I always monitor my NT security event viewer.  I just wondering sometimes I always received a security log type: "failure Audit"
Event ID: 529
Description:
  Logon Failure:
  Reason: Unknown user name or bad password
  User name: DENIS HAWES
  domain: CHAMBERS
  logon Type: 3
  logon process:  KSecDD
  Authentication package:
  Microsoft_authentication_package_V1_0
  Workstation Name: \\ DENIS

   What does it means?  All the information above the user, domain & workstation name are all irrelevant and does not exist on our network. We don't have firewall but according to our ISP they have. Is it okey?
   We are connected via modem 56KBPS to our local ISP.
  Please help.
0
bubana
Asked:
bubana
  • 4
  • 3
  • 2
1 Solution
 
TTomCommented:
It means someone tried to login to your server using this information.  If your server has NTFS-protected directories (i.e., if the security does not provide open access for the "Everyone" group), when a user tries to access anything on the server, NT will issue a challenge/response, i.e., a logon dialog box will appear.  If the user fills in something, they will either be authenticated to access the resource they requested, or they will be denied (if their credentials do not match those of an authorized user).

Since this user is providing quite a bit of information here, I would suggest this is probably an error, rather than an attempt to hack your network.

However, if this recurs, I would suggest you evaluate your security, particularly the idea of having a firewall.  Better that you should be in control, rather than depending upon an ISP for protection.

You might ask your ISP if the domain and user make any sense to them.  There is a small possibility that this is one of their employees who is inadvertantly attempting to do something which points them to your network.

Tom
0
 
HousenetCommented:
bubana I would interprite this as an attempt to gain access to your server..
-To test if your ISP is trully "protecting" your server...try this simple test..
1. Connect online with the 56k modem.. Get  your IP from the connection info after connected.. Say its 200.1.1.20
2. From a seperate connection (a friend on a different ISP would be ideal)... Ask him to see what happens when he tries to type this from run \\200.1.1.20  (anything happen?)
3. tell him to try from an NT at the cmd prompt
net use \\200.1.1.20\c$ /User:Administrator (Does it ask to supply the password?)
-If either of these tests ask for credentials or passwords then your ISP is not doing jack for you in terms of protection because the netbios ports 135-139 are open...
-If you give me your IP while you're online & these ports are open I can give you, your domain name, server name, all acounts, services, shares, probably the passwords for several of the accounts as well... Would you like to try it ?

http://www.eventid.net/display.asp?source=MoniLog&eventid=529
0
 
bubanaAuthor Commented:
Tom,

   I have a Follow up question,  via what way the hacker enters to our network? Our setup here is a dial-up connection 56kbps to our ISP in order to access internet.  My modem configures as dial-out only.  I forgot to tell you sometimes i got a logged user name as "anonymous" on category "logon/logoff" successfully without any username & domain info.  It does means they are log successfully to our domain without valid username domain authentication?
   What are network resources of ours this hackers access?
   Thanks for the information.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
TTomCommented:
The Anonymous logon means someone has accessed a resource on your network.

If you are truly concerned about what is being done, I would suggest you audit access to all files.  This can be processor intensive, but it will tell you who is accessing what.

Does your network have Win95/98 machines on it?  Is everyone using the network required to have a valid logon id?  Are all the directories/sites on your web server configured to deny anonymous access (or, more specifically, not to allow it)?

NT is not terribly secure unless you make it so.  By default, the Everyone group is granted access to resources with Full Control.  This represents a great security risk, and you would be advised to pick up some information on NT security (there are whitepapers and books available which will help).

Sometimes, however, it is not that someone is trying to do something malicious, just that the configuration of the server makes it appear so.

Wish I could be more assistance.

Tom
0
 
HousenetCommented:
-So banana, hows it going with your problem >?
0
 
bubanaAuthor Commented:
housenet,

        working fine. I mean network still up and running.
The command you gave me got a syntax problem, I can't figure it out.  
        Thanks for your effort partner.
0
 
HousenetCommented:
-What command ?
0
 
bubanaAuthor Commented:
housenet,

   This command:

net use \\200.1.1.20\c$ /User:Administrator (Does it ask to supply the password?)

  I changed Ip to our IP's domain name.  It flash an error "system error 67 has occurred.  The network name cannot be found"  What does it mean? Syntax error?
thanks
0
 
HousenetCommented:
bubana thats a good sign.. It means that the netbios ports are probably blocked & your ISP is really doing as they say..
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now