?
Solved

What does it mean logs on NT Security event viewer?

Posted on 2001-06-17
9
Medium Priority
?
293 Views
Last Modified: 2010-04-11
Hello!!

    I have a server NT4 SP6, I always monitor my NT security event viewer.  I just wondering sometimes I always received a security log type: "failure Audit"
Event ID: 529
Description:
  Logon Failure:
  Reason: Unknown user name or bad password
  User name: DENIS HAWES
  domain: CHAMBERS
  logon Type: 3
  logon process:  KSecDD
  Authentication package:
  Microsoft_authentication_package_V1_0
  Workstation Name: \\ DENIS

   What does it means?  All the information above the user, domain & workstation name are all irrelevant and does not exist on our network. We don't have firewall but according to our ISP they have. Is it okey?
   We are connected via modem 56KBPS to our local ISP.
  Please help.
0
Comment
Question by:bubana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 9

Expert Comment

by:TTom
ID: 6202363
It means someone tried to login to your server using this information.  If your server has NTFS-protected directories (i.e., if the security does not provide open access for the "Everyone" group), when a user tries to access anything on the server, NT will issue a challenge/response, i.e., a logon dialog box will appear.  If the user fills in something, they will either be authenticated to access the resource they requested, or they will be denied (if their credentials do not match those of an authorized user).

Since this user is providing quite a bit of information here, I would suggest this is probably an error, rather than an attempt to hack your network.

However, if this recurs, I would suggest you evaluate your security, particularly the idea of having a firewall.  Better that you should be in control, rather than depending upon an ISP for protection.

You might ask your ISP if the domain and user make any sense to them.  There is a small possibility that this is one of their employees who is inadvertantly attempting to do something which points them to your network.

Tom
0
 
LVL 12

Accepted Solution

by:
Housenet earned 20 total points
ID: 6204769
bubana I would interprite this as an attempt to gain access to your server..
-To test if your ISP is trully "protecting" your server...try this simple test..
1. Connect online with the 56k modem.. Get  your IP from the connection info after connected.. Say its 200.1.1.20
2. From a seperate connection (a friend on a different ISP would be ideal)... Ask him to see what happens when he tries to type this from run \\200.1.1.20  (anything happen?)
3. tell him to try from an NT at the cmd prompt
net use \\200.1.1.20\c$ /User:Administrator (Does it ask to supply the password?)
-If either of these tests ask for credentials or passwords then your ISP is not doing jack for you in terms of protection because the netbios ports 135-139 are open...
-If you give me your IP while you're online & these ports are open I can give you, your domain name, server name, all acounts, services, shares, probably the passwords for several of the accounts as well... Would you like to try it ?

http://www.eventid.net/display.asp?source=MoniLog&eventid=529
0
 

Author Comment

by:bubana
ID: 6204803
Tom,

   I have a Follow up question,  via what way the hacker enters to our network? Our setup here is a dial-up connection 56kbps to our ISP in order to access internet.  My modem configures as dial-out only.  I forgot to tell you sometimes i got a logged user name as "anonymous" on category "logon/logoff" successfully without any username & domain info.  It does means they are log successfully to our domain without valid username domain authentication?
   What are network resources of ours this hackers access?
   Thanks for the information.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 9

Expert Comment

by:TTom
ID: 6206221
The Anonymous logon means someone has accessed a resource on your network.

If you are truly concerned about what is being done, I would suggest you audit access to all files.  This can be processor intensive, but it will tell you who is accessing what.

Does your network have Win95/98 machines on it?  Is everyone using the network required to have a valid logon id?  Are all the directories/sites on your web server configured to deny anonymous access (or, more specifically, not to allow it)?

NT is not terribly secure unless you make it so.  By default, the Everyone group is granted access to resources with Full Control.  This represents a great security risk, and you would be advised to pick up some information on NT security (there are whitepapers and books available which will help).

Sometimes, however, it is not that someone is trying to do something malicious, just that the configuration of the server makes it appear so.

Wish I could be more assistance.

Tom
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6208968
-So banana, hows it going with your problem >?
0
 

Author Comment

by:bubana
ID: 6213031
housenet,

        working fine. I mean network still up and running.
The command you gave me got a syntax problem, I can't figure it out.  
        Thanks for your effort partner.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6214282
-What command ?
0
 

Author Comment

by:bubana
ID: 6223145
housenet,

   This command:

net use \\200.1.1.20\c$ /User:Administrator (Does it ask to supply the password?)

  I changed Ip to our IP's domain name.  It flash an error "system error 67 has occurred.  The network name cannot be found"  What does it mean? Syntax error?
thanks
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6223148
bubana thats a good sign.. It means that the netbios ports are probably blocked & your ISP is really doing as they say..
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question