Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1456
  • Last Modified:

Event ID 680 - Getting invalid logon attempts from my server

I noticed these in my event logs.  Sometimes its a user id of "academia" and sometimes its "inna".  How is this happening?  What is happening?  Why is the "Source Workstation" my server?  Scary stuff
PS I am current on all patches and on anti-virus (Trend Micro).

Source Event ID Last Occurrence Total Occurrences
  Security 680 10/16/2008 12:48 PM 5 *
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: inna
Source Workstation: CompSvr
Error Code: 0xC0000064

Source Event ID Last Occurrence Total Occurrences
  Security 529 10/16/2008 12:48 PM 5 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: inna
  Domain:  
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: CompSvr
  Caller User Name: CompSvr$
  Caller Domain: MyDomain
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 1556
  Transited Services: -
  Source Network Address: -
  Source Port: -
 
0
rowek
Asked:
rowek
  • 6
  • 3
  • 2
1 Solution
 
pistolslapperCommented:
Are you using any remote control software like vnc on your server?
0
 
rowekAuthor Commented:
No sir.  We do open up the Remote Desktop Port sometimes to get to client PCs.  Small Business Server also puts out a Welcome screen that looks like this:
(I am most concerned about Remote Web Workplace which allows somebody to sign on to my server remotely.  I do not know how to disable it)

Welcome to Windows Small Business Server 2003
 To get started, click a link.


  My Company's Internal Web Site
 Collaborate and share documents on your company's internal Web site.
   
  Network Configuration Wizard
 Join a client computer to the Windows Small Business Server network.
   
  Remote Web Workplace
 Connect to the Windows Small Business Server network over the Internet.
 
0
 
pistolslapperCommented:
How frequently are you getting these events. If it is quite frequent it may be worth running a piece of software like wireshark to see where the logon attempts are coming from.

0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
harrytwotoesCommented:
If your server is securely placed and no one can walk up to it and type on the keyboard, the issue is likely the RWW.  You can specify who is allow to log into this service by the following
1) Open Server Management

2) On the left hand side navigation click on "Security Groups"

3) Now on the right hand side you will see all of the Security Groups that SBS builds by default, and any of the ones that you put in there.

4) Double click on Remote Web Workplace Users.

5) Click on the Members tab.

6) And whoever you would like.  Make sure that the mass groups like "everyone, and domain users" are not in the list.

7.) Apply your changes.

0
 
rowekAuthor Commented:
Okay, harrytwotoes, I went out and did what you said.  There were no "everyone, and domain users" in that group, only a few that need it.  Is there anyway to tell my server not to even display the Welcome Screen "Welcome to Windows Small Business Server 2003 " see detail above?  Everyone who needs access to our server goes directly to a specific page.

pistolslapper - I get these messages frequently, ten a day.  They indicate the workstation being used is my server.  Will something like wireshark actually help?
0
 
harrytwotoesCommented:
Ah.

To enable or disable Remote Web Workplace
Open the Windows SBS Console.

On the navigation bar, click Shared Folders and Web Sites.

Click the Web Sites tab.

Right-click Remote Web Workplace, and then do one of the following:

To enable Remote Web Workplace so that users can remotely access network features, click Enable this site.

To prevent users from accessing Remote Web Workplace, click Disable this site.

--site referenced--
http://technet.microsoft.com/en-us/library/cc527621.aspx
0
 
rowekAuthor Commented:
harrytwotoes: where is this Windows SBS Console. you are talking about?  I am running 2003 and cannot find it.  I normally use "SBS Server Mgt", but never the console.
0
 
harrytwotoesCommented:
Start > Programs > Windows Small Business Server > Windows SBS Console
0
 
rowekAuthor Commented:
Let me tell you how I brute force took it down.  I opened up IIS Mgr and clicked on "REMOVE".  It is no longer an application, just a folder.  If somebody tries to access it now they get the WSOD (.NET White Screen of Death).  I will see if this stops the sign on attempts.  If you can tell me a more elegant way to turn this down on SBS 2003 I would appreciate it, but the intent of your solution works fine: turn down RWW.
Thanks to both of you guys.
Keith
0
 
rowekAuthor Commented:
I looked and looked for that program group and app on my Start Menu...does not exist.  Do you have the name of the EXE?  I will create the group from scratch.  Point awarded.
0
 
rowekAuthor Commented:
http://www.eggheadcafe.com/software/aspnet/33255125/keep-getting-login-failur.aspx
Above is a good explanation of what is happening.  They are trying to relay off of my Exchange server.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 6
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now