Improve company productivity with a Business Account.Sign Up

x
?
Solved

security event log

Posted on 2013-01-27
10
Medium Priority
?
957 Views
Last Modified: 2013-02-07
Dear Members,

Event log belonging to a exchange server (and a domain controller) recorded some activity which we consider as suspicious. Could you please tell me whether these logs belong to an attack (what type) or not.

Thanks and regards
0
Comment
Question by:oner_hamali
  • 6
  • 4
10 Comments
 
LVL 4

Expert Comment

by:milikad
ID: 38824028
what is the event?
0
 

Author Comment

by:oner_hamali
ID: 38824051
Enclosed in the reply, please find the logs.

--------------------------------------------------------------------------------------------


Audit Failure,1/26/2013 7:44:06 PM,Microsoft-Windows-Security-Auditing,4625,Logon,"An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            EXCHANGE$
      Account Domain:            ******************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******************
      Source Network Address:      ******************
      Source Port:            6841

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

-------------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:35 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      7002
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"

-----------------------------------------------------------------------------------------------------------------

Audit Failure,1/26/2013 7:48:34 PM,Microsoft-Windows-Security-Auditing,5152,Filtering Platform Packet Drop,"The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            ******************
      Source Port:            80
      Destination Address:      ******************
      Destination Port:      6999
      Protocol:            6

Filter Information:
      Filter Run-Time ID:      68523
      Layer Name:            ICMP Error
      Layer Run-Time ID:      28"
logs.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824068
Hi
Event 5152 is indicating packet drop for ICMP
Check the firewall settings on the server. I  am assuming that you have exchange server installed on DC. If Exchnage is running on windows 2008/R2, then ensure that firewall service is running and if you have any third party firewall configured internally then check with the vendor
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 4

Expert Comment

by:milikad
ID: 38824074
Check below link to check if you have WFP enabled on the server and disable the same and it will help. Event 5152 is seen if we have WFP enabled on the server

Enable IPsec and Windows Firewall Audit Events
http://technet.microsoft.com/en-us/library/cc754714.aspx
0
 
LVL 4

Accepted Solution

by:
milikad earned 1000 total points
ID: 38824088
As far as event 4625 is concern it gets logged when access network and sharing center as it tries to check if guest account is enabled for network access. So can be ignored.

Additionally you can check this link

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/
0
 

Author Comment

by:oner_hamali
ID: 38824103
Firewall is running for domain, home, work profiles. This has the default settings, and the output from the command is included in the attached file.
audit-policy-output.txt
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824106
Let the windows firewall service be running, you can turn off firewall for all these 3 profiles
0
 

Author Comment

by:oner_hamali
ID: 38824107
Another log for event 4625 is the following. Does this entail that a person is trying to probe the machine for file sharing or similar services and trying  to enter user name and password.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/26/2013 8:32:55 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ******************
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            Administrator
      Account Domain:            *************

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
 
LVL 4

Expert Comment

by:milikad
ID: 38824258
Check if if is coming from the specific IP only
Network Information:
      Workstation Name:      ******
      Source Network Address:      ********
      Source Port:            6909
and try to turn off that workstation and check if things are working fine.

even refer this,
The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
http://support.microsoft.com/kb/2157973
0
 

Author Comment

by:oner_hamali
ID: 38865658
Thanks for the help.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
In a Cross Forest, the steps to migrate users are quite complicated and even in the official articles of Technet there is no clear recommendation on which approach to take .. From an experience, I mention and simplify which way to go and how to use …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

602 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question