Link to home
Create AccountLog in
Avatar of morse57
morse57

asked on

Logon failures 529 672 & 680

Hi experts

I have suddenly started having problems with security events and I can't tie the start of them down to any specific update or the like.  I suppose this question is best broken down into two parts.

Yesterday there were 47 Failure Audits recorded between 16:00:05 & 16:11:42 involving attempted logins by the username Administrator, generating event ID's 529, 672 & 680.  The Administrator account has been renamed from day 1 and here is an example of one type of log entry:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      672
Date:            07/06/2007
Time:            16:00:05
User:            NT AUTHORITY\SYSTEM
Computer:      AML-SERVER
Description:
Authentication Ticket Request:
       User Name:            Administrator
       Supplied Realm Name:      OURDOMAIN.LOCAL
       User ID:                  -
       Service Name:            krbtgt/OURDOMAIN.LOCAL
       Service ID:            -
       Ticket Options:            0x40810010
       Result Code:            0x6
       Ticket Encryption Type:      -
       Pre-Authentication Type:      -
       Client Address:            127.0.0.1
       Certificate Issuer Name:      
       Certificate Serial Number:      
       Certificate Thumbprint:      

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
** That wasn't any help - it said that "There is no Failure Audit form of this audit event record" Hmmm.

I cannot see anything in application or system logs which could have caused this.  Is there any way in which I can find out which program / process has used this login, please?  
Another option is, could this be something more sinister?  No infections have been found on the daily full virus scans across the network and we have a hardware firewall.  The firewall did report that it had repelled several Smurf attacks exactly an hour earlier, purporting to originate from an address belonging to African Network Information Center and there is no evidence I have found to suggest that the firewall was breached.

In addition, I have started to get occasional event ID's 673, within the DHCP range reserved for vpn clients & also some LAN clients.  The clocks seem to be in sync with the server and a success audit is registered at the next event.  No failure event is recorded on the client, only the success.

Any ideas, please?
SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I disagree. Sorry for not answering before but I assumed (obviously incorrectly) what the recommendation would be. This should have been a split, surely.

keith_alabaster,
     <<waggin my finger at ya>>  You assumed?  <smile>   Ok, sometimes the obvious doesn't just jump out at me and I make an incorrect assumption.  When I come across a question that I'm not sure was answered to the complete resolution, I ping it, as I did here. I wasn't familiar with this particular problem, and henceforth not sure if there were other possibilities.  
   The only reason I ping one is to one, try and wake the asker up for a solution, and in the absence of that I'm seeking advice and recommendations from the contributers.
   So if you see a ping from me, it basically means I can't make up my mind, please help!  <grin>
   I'll gladly change my recommendation, seeing as how you are way more knowlegeable about this than I am, and the asker obviously doesn't care.
   Riteheer
   EE Cleanup Volunteer
Change recommendation to split between {ID:19247535Author:keith_alabaster} & {ID:19258538Author:TechSoEasy}

Riteheer
EE Cleanup Volunteer
It is unfortunate than many times we don't have the time to respond to the pings that you put out (it a bank holiday here in the UK today though) so most times I don't worry about it. It can be frustrating when we know the answer was correct orat least it was the best advice to give the asker but it happens and most of us just live with it.

Personally I think you're doing a great job of CV from what I can see; as a CV myself I know what a thankless task it can be with the petty bickering about grades given and 'exact wording' etc so keep it up.

Only time I will jump in with a comment will be in any of the networking zones that I am Zone Advisor or Page Editor for (such as this one). In addition, if you ever want to discuss a question or at least get a second opinion, you can find me through the mail addresses in my profile.

As for knowing more than you? As you rightly said... 'You assumed.....'

regards
Keith
Keith,
  Thanks for the kind words, it's guys like you and the many other regular people who are really part of the whole picture, that make the activity I participate in here worth while.  There may be a few whiners here and there, but hey, they are everywhere... you should try driving a truck for a living... trust me they are the majority...LOL
   I appreciate the understanding and the pats on the back that come from what I associate as the regular crew here.  The comeraderie (sp?) is awesome.  It's nice to feel part of a team of intelligent people with the same wish... to help people... Makes me feel good.  
  Annie,
  NP.  And thank you.
JP
Avatar of morse57
morse57

ASKER

Hi folks

I'm really sorry, a. that I didn't award points & close this off &, b. that the notifications of posts went to my junkmail (now fixed - again) so I didn't realise there was this discussion.

Please accept shared points & thanks for the help.

Cheers
Steve
No problem... your return to close it out is certainly appreciated.

Jeff
TechSoEasy