security event log

Dear Members,

Event log belonging to a exchange server (and a domain controller) recorded some activity which we consider as suspicious. Could you please tell me whether these logs belong to an attack (what type) or not.

Thanks and regards
oner_hamaliAsked:
Who is Participating?
 
milikadConnect With a Mentor Commented:
As far as event 4625 is concern it gets logged when access network and sharing center as it tries to check if guest account is enabled for network access. So can be ignored.

Additionally you can check this link

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/
0
 
milikadCommented:
what is the event?
0
 
oner_hamaliAuthor Commented:
Enclosed in the reply, please find the logs.

--------------------------------------------------------------------------------------------


Audit Failure,1/26/2013 7:44:06 PM,Microsoft-Windows-Security-Auditing,4625,Logon,"An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            EXCHANGE$
      Account Domain:            ******************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******************
      Source Network Address:      ******************
      Source Port:            6841

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

-------------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:35 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      7002
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"

-----------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:34 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      6999
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"
logs.txt
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
milikadCommented:
Hi
Event 5152 is indicating packet drop for ICMP
Check the firewall settings on the server. I  am assuming that you have exchange server installed on DC. If Exchnage is running on windows 2008/R2, then ensure that firewall service is running and if you have any third party firewall configured internally then check with the vendor
0
 
milikadCommented:
Check below link to check if you have WFP enabled on the server and disable the same and it will help. Event 5152 is seen if we have WFP enabled on the server

Enable IPsec and Windows Firewall Audit Events
http://technet.microsoft.com/en-us/library/cc754714.aspx
0
 
oner_hamaliAuthor Commented:
Firewall is running for domain, home, work profiles. This has the default settings, and the output from the command is included in the attached file.
audit-policy-output.txt
0
 
milikadCommented:
Let the windows firewall service be running, you can turn off firewall for all these 3 profiles
0
 
oner_hamaliAuthor Commented:
Another log for event 4625 is the following. Does this entail that a person is trying to probe the machine for file sharing or similar services and trying  to enter user name and password.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/26/2013 8:32:55 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ******************
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            Administrator
      Account Domain:            *************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
 
milikadCommented:
Check if if is coming from the specific IP only
Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909
and try to turn off that workstation and check if things are working fine.

even refer this,
The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
http://support.microsoft.com/kb/2157973
0
 
oner_hamaliAuthor Commented:
Thanks for the help.
0
All Courses

From novice to tech pro — start learning today.