Solved

Server SBS Essntials 2011 - Security Errors

Posted on 2012-03-14
9
804 Views
Last Modified: 2013-12-02
Hello

I have noticed that on our SBS Essentials 2011, event viewer, security tab that there are thousands of "An account failed to log on".

I cleared the log on Monday evening (4.30pm) when I look today there was lots of failed logins, i'm unsure how to go from here.

i have attached a just two of the errors below.

An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		AMW12$
	Account Domain:		AMWLTD
	Logon ID:		0x3e7

Logon Type:			10

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		test1
	Account Domain:		AMW12

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc0000064

Process Information:
	Caller Process ID:	0x41b8
	Caller Process Name:	C:\Windows\System32\winlogon.exe

Network Information:
	Workstation Name:	AMW12
	Source Network Address:	41.145.62.254
	Source Port:		40628

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window


An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		AMW12$
	Account Domain:		AMWLTD
	Logon ID:		0x3e7

Logon Type:			10

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		administrator
	Account Domain:		AMW12

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc0000064

Process Information:
	Caller Process ID:	0x41e4
	Caller Process Name:	C:\Windows\System32\winlogon.exe

Network Information:
	Workstation Name:	AMW12
	Source Network Address:	186.92.147.174
	Source Port:		63623

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window


Paul
0
Comment
Question by:PBComputer
  • 5
  • 3
9 Comments
 
LVL 18

Assisted Solution

by:Andrew Davis
Andrew Davis earned 250 total points
ID: 37719986
looks like a hacker is trying to access. sheck what ports you have forwarded.

note both attempts are logon type 10
Logon Type 10 – RemoteInteractive

When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2.
from http://www.windowsecurity.com/articles/logon-types.html

firstly do you require RDP access external from your network, if so i would port shift it and then block 3389 at the router and use a different port number. if users are using RDP then this is a little difficult as they wont get how to connect via a different port, so if you have a decent router then you should be able to limit the external IP addresses that can access the port.

note 41.145.62.254 is coming from South Africa see http://www.dnsgoodies.com/index.htm
and 186.92.147.174 is coming from Mexico

you can look up your countries IP addresses and then limit to those only if your situation allows.

Otherwise a high end router can have rules to limit the ammount of connections and dynamically create blacklists.

Hope that helps.
PS as i work with Terminal servers (RDP connections) i see this regularly and they tend to give up soon enough as they realize that they cant get in. Just make sure that you have good password policies and that the administrator accounts are as locked as you can. I always rename the administrator account so there is no account whose username is administrator. make it as hard as you can. you could also enter those ip addresses into your routers block list and you could enter subnets to block the entire isp they are coming from but hackers tend to bounce around so it can be hard to keep up.

Cheers
Andrew
0
 
LVL 4

Accepted Solution

by:
sivanov earned 250 total points
ID: 37720034
http://support.microsoft.com/kb/2514286 - did you check this >



was not able to see what is the event ID . is it 4625 ?

resolved this issue by (re) setting the Local Security Policy property "Network Access: Sharing and security model for local accounts" found under "Security Options" back to its default setting of "Classic - local users authenticate as themselves" It had been changed to "Guest only- local users authenticate as Guest" which with this setting caused the EID 4625, NULL user etc. when logging in via RDP.
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37720071
just noticed that it appears like the attempts are coming from multiple ports. is this server sitting in the DMZ of your router? if so that is a realy bad idea. Put the server behind an edge firewall router.

Cheers
0
 
LVL 1

Author Comment

by:PBComputer
ID: 37720072
Thanks, RDP is only used by support to login to the server not end users, i guess a fix could be to change the RDP port, change it in the firewall and only enable to service when needed, as teamviewer and LMIR is used mainly for remote.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37720106
sounds like a plan to me.

Like you i always have a secondary method of access in case one service fails. But i would recommend port shifting where possible, and limiting the access ip's if you can.

Country ip address ranges can be found here http://www.ipaddresslocation.org/ip_ranges/get_ranges.php

Cheers
0
 
LVL 1

Author Comment

by:PBComputer
ID: 37720198
Hello

I've shirted the ports, (not the VPN port) and disabled RDP and a few inactive user accounts,
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37720213
cool. you dont want ports without any shirts on ;)
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37728331
Thanks for the points Paul, not sure how i only ended up with an Assist and not an Accepted, but not that bothered.

Cheers
Andrew
0
 
LVL 1

Author Comment

by:PBComputer
ID: 37728337
@AndrewJDavis i thought i had accepted your result. sorry about that.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now