Many failure audits in my security event viewer

I was reviewing my event logs for one of my domain controllers and noticed a bunch of failure audits in the security event viewer.  I posted two of the many failed audits.  Is this a sign that someone is trying to hack into one of my servers?  I do not have a user name "accounting".  This server acts as a domain controller and VPN access.  It is in the DMZ zone on my router.  What can I do to prevent someone from hacking into my network?  Should I remove it from the DMZ?


Event Type:	Failure Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	529
Date:		5/3/2011
Time:		5:38:30 PM
User:		NT AUTHORITY\SYSTEM
Computer:	NIRA-SERVER4
Description:
Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	accounting
 	Domain:		NIRA
 	Logon Type:	10
 	Logon Process:	User32  
 	Authentication Package:	Negotiate
 	Workstation Name:	NIRA-SERVER4
 	Caller User Name:	NIRA-SERVER4$
 	Caller Domain:	NIRA
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	5140
 	Transited Services:	-
 	Source Network Address:	216.139.85.217
 	Source Port:	62287

Open in new window


Event Type:	Failure Audit
Event Source:	Security
Event Category:	Account Logon 
Event ID:	672
Date:		5/3/2011
Time:		5:38:30 PM
User:		NT AUTHORITY\SYSTEM
Computer:	NIRA-SERVER4
Description:
Authentication Ticket Request:
 	User Name:		accounting
 	Supplied Realm Name:	NIRA
 	User ID:			-
 	Service Name:		krbtgt/NIRA
 	Service ID:		-
 	Ticket Options:		0x40810010
 	Result Code:		0x6
 	Ticket Encryption Type:	-
 	Pre-Authentication Type:	-
 	Client Address:		127.0.0.1
 	Certificate Issuer Name:	
 	Certificate Serial Number:	
 	Certificate Thumbprint:	

Open in new window

GreyHippoAsked:
Who is Participating?
 
nipponsoulCommented:
Which router do you have? You can set up VPN and allow your users to access your internal resource via VPN without exposing data anywhere.

I hope it is a firewall router , if not I really suggest you change it and get a FW one.

If it is not critical for your users to gain access to resources remotely then I would remove DC2 from the DMZ asap. Then sort out the VPN.

0
 
nipponsoulCommented:
...so many things could be going on here ...  

krbtgt on 2nd log is Key distribution service center account ..

Common causes this event ID:
- Forgotten passwords, someone is entering the wrong password.
- An unauthorized individual is trying to gain access to the network.
- There is a persistent network connection with an invalid password.
- There is a service using a user account with an invalid password.
- Trust relationship has been broken.

Is that your only DC ? What roles does it have on?  Does it have a public IP? Do you have IIS running on it as well?

Can you describe your infrastructure a bit? Do you have a forest trust in place?

0
 
nipponsoulCommented:
Is it only username "accounting" or does the username change every attempt ?

Do you own a computer named: "NIRA-SERVER4" ???

0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
nipponsoulCommented:
Can an administrator please edit and remove real Domain names and machines  from the logs and replies?
0
 
GreyHippoAuthor Commented:
The username changes every attempt.  Yes the computer is ours, that is it's name.
0
 
GreyHippoAuthor Commented:
We have two domain controllers.  The following roles are configured for the server in questions: File Server, Application Server, Remote Access/VPN Server, Domain Controller and WSUS.  IIS is running.  It does not have a public IP address but it is in the router DMZ.  I am not sure what a forest trust is.

We have two servers acting as Domain Controllers, I will call them DC1 and DC2.  DC2 is the server in question.  DC1 has all other roles needed (DNS, DHCP,...).  We have a 3rd server, I will call it FS1, that acts as a file server and print server.
0
 
Leon FesterSenior Solutions ArchitectCommented:
Follow instructions from the lady above and let us know what you see.

If you're battling on your own then have a look at enabled debug logging on the Netlogon service of your Domain Controllers.
http://support.microsoft.com/kb/109626

Have a look at the log file mentioned in the doc and see if it sheds more light on the subject.
0
 
nipponsoulCommented:
the 672 doesn't worry me on second log - it is kerberos related internal - it is the Event ID:      529 that is alerting especially since the username changes.


I traced the IP n the log ....  Is it a familiar IP tp you ?

IP       :      216.139.85.217           
Host       :      sgames.maxenhost.com    
Country       :      United States  

I would really start tracking this down if I were you to have evidence...

Is that your only DC?





0
 
nipponsoulCommented:
What roles does DC2 have ? And why is there a DC there? I cannot think of any reason as to why a DC server would be in DMZ... If the intention was to allow internal and external users to use a web service in the DMZ as well as  internal users to be able to use their normal Windows account, then I partially understand LDAP but with the use of ADFS... not placing a DC on DMZ :/
0
 
GreyHippoAuthor Commented:
That IP is not familar to me, nor is any of the usernames that are logging in using KRBTGT.

0
 
GreyHippoAuthor Commented:
I added DC2 to the DMZ so that users could have remote access.  Should I remove DC2 from the DMZ?
0
 
nipponsoulCommented:
It is NOT recommend placing enterprise users information  in a DMZ.

DMZs are designed to serve as a neutral location (hence the name demilitarized zone) where public and private services meet. Traditional firewall implementations create three zones: an untrusted zone (typically the Internet, in the case of a border firewall), a trusted zone (the organization's intranet and in this case where you DC1 is located) and a DMZ used to host public services & VPN usage. So DMZ  provides a layer of isolation that protects the internal LAN systems from public exposure... so in this case the exact opposite happened.

Enterprise services that must be exposed to untrusted networks, are usually Web servers running IIS, FTP, ADFS etc etc, should be placed in the DMZ. with this setup in an event of a compromise, internal users and systems have a firewall that protects them from an affected server. Placing enterprise users (who belong on the intranet) in the DMZ eliminates this layer of protection and puts them at risk to systems on the untrusted network.

So, you don't need a DC in DMZ in order for your users to be able to have access remotely. As you said you can just set up VPN.

Is there anything else on the DMZ ? Any other server/service running? Because you don't necessarily need a DMZ to have VPN, although those two can co-exist if needed.

0
 
GreyHippoAuthor Commented:
I will remove DC2 from the DMZ.  

Can I keep the VPN on DC2?

How will the VPN need to be setup if the server is not in the DMZ?  Should I open another question?
0
 
GreyHippoAuthor Commented:
No nothing else is in the DMZ.
0
 
GreyHippoAuthor Commented:
I have a Linksys E2000 router, see link below.  I thought all routers act as a firewall.

http://www.linksysbycisco.com/EU/en/products/E2000

I removed DC2 from the DMZ
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.