[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

Failure Audits in Security Log for service account user.

Each day in my SBS2003 report, I see two errors that I can't seem to find the fix for. I originally thought some service on the DC needs the service user's password updated, but everything appears in order and i'm still getting these two errors each day from the DC. They happen back to back at the same time, usually up to 20 occurrences each day. Oh and to bypass the advapi virus posts that will come, this machine is virus-free according to symantec installed software 10.2 Corp, and trendmicro/bitdefender online scans. The advapi process listed below is NOT an advapi.exe virus, its the IIS process. Just in case that comes up in anyone's mind :)

The first event is:
---------------------------------------------------------------------------------------------------------------------------
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      serviceacct
 Source Workstation:      OURSBS2003DC
 Error Code:      0xC000006A
----------------------------------------------------------------------------------------------------------------------------
The second event, from same exact time is:
----------------------------------------------------------------------------------------------------------------------------
Reason:      Unknown user name or bad password
User Name:      serviceacct
Domain:       
Logon Type:      3
Logon Process:      Advapi
Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:      OURSBS2003DC
Caller User Name:      OURSBS2003DC$
Caller Domain:      SBS
Caller Logon ID:      (0x0,0x3E7)
Caller Process ID:      2084
Transited Services:      -
Source Network Address:      -
Source Port:      -
---------------------------------------------------------------------------------------------------------------------------
0
lancesaville
Asked:
lancesaville
  • 8
  • 4
1 Solution
 
KCTSCommented:
It would seem that the service (or scheduled task) is attempting to use a username/password that has been changed. You should create a dedicated account fot the service and set both account and password to "does not expire" and use that. Don't use active user accounts with services (or scheduled tasks)
0
 
lancesavilleAuthor Commented:
This account is a service acct and that's all it does. It's password does not expire. Is there any way looking at the codes provided to tell what service or sched task is trying to run? I checked everything in services and sched tasks before posting and they all contain the service user's acct, and no sched tasks fail to run each day and no services fail to start each day.
0
 
DrDave242Commented:
I'm not so sure it's a service/task with a bad password.  Service logons show up as logon type 5, and scheduled tasks are type 4, but this one's a type 3, which is a network logon.  The 0xC000006A error code does signify a valid user name with a bad password, so that much is correct, but I don't think a misconfigured service or task is to blame.  Has this account been used for anything else, like mapping drives?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
DrDave242Commented:
Oh, hey, I just noticed that a process ID of 2084 is given in the error.  Run the "tasklist" command at a command prompt, and this will give you a list of the running processes on the system.  Find the one with PID 2084, and you're that much closer to fixing it.
0
 
lancesavilleAuthor Commented:
running tasklists leads to IIS, which also encompasses the advapi error. We have OWA and RDP enabled for external access, could this be someone (a cracker or perhaps someone who used to work here maybe?) trying to login to OWA with the service acct ? please advise.
0
 
lancesavilleAuthor Commented:
oh and, no DrDave, the account was specifically created a while back to handle service authentication, it has no other duties and is not a 'used on a daily basis' user acct.
0
 
DrDave242Commented:
Check your IIS logs, located by default in C:\windows\system32\logfiles.  Within that folder, there will probably be several folders with names beginning with W3SVC, which correspond to the web sites you've got running on that server.  Within those folders, check for the log file that corresponds to the date on the timestamp of the particular event you're tracking.  Open the file and scroll down to the correct time, then see what you can find.  If you don't see anything at all, check a different W3SVC folder.  (There will also be a folder corresponding to the FTP service, if you've enabled it, and if so, it's certainly worth checking too.)  The logs can be somewhat difficult to parse, but you should be able to get some useful information out of them.

Oh, and you can see which log folder corresponds to which site in IIS Manager.  Right-click a web site and select Properties.  In the Web Site tab, click the Properties button within the "Enable logging" section.  At the very bottom of the logging properties window, you'll see "Log file name:" listed, and that will tell you which folder contains that site's log files.
0
 
lancesavilleAuthor Commented:
nothing in my logs matches up to the same exact time as ANY of the events. Some are within the same hour but they are just users logging in and checking their mail. No mention of the service acct in question. Any other thoughts guys ?
0
 
lancesavilleAuthor Commented:
i did see on 2 occasions an entry within 1 minute of one of the errors listed as

OPTIONS /  - 80 - 10.0.0.33 (an internal workstation) Microsoft-webdav-miniredir/5.1.2600 200 0 0 261 143

I looked back and this seems to be going on within a min or two of the failure audits. I don't know a THING about webdav so does anyone know if this would have ANYTHING to do with the errors i'm getting. thanks guys
0
 
lancesavilleAuthor Commented:
UPDATE: we do not use webdav for anything on our DC or web server.
0
 
DrDave242Commented:
Do all of those OPTIONS entries in the log that seem to correspond to the failure audits have that same IP address (10.0.0.33) in them?  That entry in the log is apparently generated by a connection from an XP Pro client to a shared drive.  Is there a PROPFIND entry (with the same address) after the OPTIONS entry?  If so, it should name the share that's being accessed.  You can then check that client to see if it's got a persistent mapping to the share in question.

Most of this information I'm getting from here:
http://www.wsus.info/forums/lofiversion/index.php?t1354.html
0
 
lancesavilleAuthor Commented:
Before I went home friday, I removed ALL the old user accts from, and cleaned up the workstation in question (.33) and here we are monday morning with no errors :) The w3svc logs did the trick and led me to the problem, so DrDave242 will get the accepted solution. THANKS GUYS !
0
 
lancesavilleAuthor Commented:
Thanks for your help doc :)
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now