We help IT Professionals succeed at work.

Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Flipp
Flipp asked
on
In our SBS event viewer I noticed a large number of security failures for the above logon process and authentication package:
*****
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      666
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      12592
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
*****

The Username changes each attempt.

I initially thought that this was spawning from my SERVER, but after diagnosing the event log, I am thinking that it is a workstation on the domain that is attempting to connect.

Can anyone confirm this for me and suggest a strategy on how to find the workstation in question?
We currently only have AV installed on all using CA eTrust, but could look at Pest Patrol which is a part of the suite.
Comment
Watch Question

Distinguished Expert 2018

Commented:
It is not uncommon to see these on SBS (or any server that is accessible to the internet.) Someone is hammering on your RWW landing page or your OWA landing page and trying to find credentials that work. They are hitting IIS and IIS is talking to AD.  Since IIS runs on your server, it appears that the request is coming from your server.  But if you check IIS logs, you'll see the failures there as well with the offending IP address(s).

Author

Commented:
I just checked the IIS logs and am only seeing a bunch of entries for WSUS - but I expected this with patch Tuesday being this week.

We do not use RWW or OWA for this site - how can I perhaps lock down on this, or how can I prevent access at the router/firewall. I only open port 25 for SMTP - can this port only be opened from one IP rather than the world?
Distinguished Expert 2018

Commented:
It could be the SMTP service, but I rarely see it. If you want to lock down your firewall, you can easily do so. I don't know enough about your topology to give more advice beyond that though.

Author

Commented:
We currently do not enable a firewall on the SBS, so we rely on the router/firewall. Can you recommend any strategy in locking down RWW, OWA or external firewall?
Distinguished Expert 2018
Commented:
If you don't use RWW, OWA, or Outlook Anywhere, then you can block incoming HTTP traffic completely (port 80.)

For SMTP, unless you are using some form of SMTP relay, you have to let it in from all IP addresses so email can get delivered to you.

As long as you have a server on the internet, people will try to get into it. That is just a fact of life. Make sure you use strong passphrases (I like sentences, not just words) and are stringent in account lockout policies and most times you'll be fine. You just have to accept that these authentication warnings will show up. Part of being in the modern world.

Author

Commented:
One of the ideas I had for SMTP, was that since we forward all email to dyndns.com for spam filtering and then forward to SBS, is it possible to only accept SMTP from one IP? And is this a recommended config? Any other recommendations for when having this port open?

If I look on my Firewall/Router, I see that Port 80 is not enabled so am assuming that this is already blocked. ALso ran a Shields Up and we are all secure on this port.

Author

Commented:
Thank you for your advice - after a server reboot the issue has not returned so will just have to monitor the security log for failures.