Security Audit Failures - Brute Force Attack?

Posted on 2009-04-13
Last Modified: 2013-11-16
I've get 1000's of these on my citrix server daily:

The IP's change so rapidly and never used twice.  I know this is a brute force attack but I wanted a second opinion from the experts exchange guru's.  Also, any suggestions on how to counter or defend this would be greatly appreciated. Thanks in advance...


Event Type:	Failure Audit

Event Source:	Security

Event Category:	Logon/Logoff 

Event ID:	539

Date:		4/12/2009

Time:		9:56:50 PM




Logon Failure:

 	Reason:		Account locked out

 	User Name:	ADMIN


 	Logon Type:	3

 	Logon Process:	NtLmSsp 

 	Authentication Package:	NTLM

 	Workstation Name:	\\LOCALHOST

 	Caller User Name:	-

 	Caller Domain:	-

 	Caller Logon ID:	-

 	Caller Process ID: -

 	Transited Services: -

 	Source Network Address:

 	Source Port:	0

For more information, see Help and Support Center at


Open in new window

Question by:whitehornet
  • 2
  • 2
LVL 36

Expert Comment

by:Carl Webster
ID: 24130640
What Citrix components are installed on your server?
What is sitting in front of the server?

Author Comment

ID: 24130676
Citrix Presentation Server 4.5
License Server v11
Web Apps

Sonicwall 2040 is sitting in front of the server.  I have port 80 open on this server for Web Apps to be streamed to clients.

LVL 36

Expert Comment

by:Carl Webster
ID: 24130733
That is a very unsecure setup you have there.

Citrix recommends that the web interface be installed on a separate server and to use the free Citrix Secure Gateway software to protect the servers.  It will look like this:

Internet -> SW2040 -> port 443-> CSG/WI -> PS4.5 server

Don't use CSG 3.1 as it removed support for streamed apps.

I wrote a 3-part article on implementing CSG/WI and a wildcard ssl cert on a single server. is Part 1.

Author Comment

ID: 24130749
Thank you... I inherited this setup and am trying to convice the owners to purchase new server so this helps validate my recommendation.  I will review article and then comment.  Thanks again...

Accepted Solution

scwoa earned 500 total points
ID: 24274499
In the log above, it states that

>>Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      \\LOCALHOST

NTLM usually means that someone is trying to map a drive.
You should double check your firewall and make sure that ports 135, 137, 139, and 445 are NOT open to the internet.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
vMware vShield Endpoint 6.0 4 63
where is software market online? 7 95
svg file 10 84
Kaspersky Antivirus reports 4 59
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: (…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now