How do you determine where attempts to access a DC are coming from?

attempts are being made to access a DC.  See attached.  How can I determine where these attempts came from?

security
J.R. SitmanIT DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian McDonaldIT ManagerCommented:
I'd try a DNS lookup to determine the IP and trace it through the network to an endpoint
0
Brian McDonaldIT ManagerCommented:
Looks kind of like a brute force, might be an infected machine on the network?
0
J.R. SitmanIT DirectorAuthor Commented:
can you walk me through doing a DNS lookup?
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Brian McDonaldIT ManagerCommented:
The computer making the attempts will be listed in the security log on the DC
0
Brian McDonaldIT ManagerCommented:
open a command prompt on the DC and type

nslookup

a new prompt will show up

now type in the computer name making the attempts

an IP will be returnednslookup
0
Brian McDonaldIT ManagerCommented:
0
J.R. SitmanIT DirectorAuthor Commented:
The computer making the attempts is the same computer it is trying to access.  Nslook up shows the correct IP of the DC
0
J.R. SitmanIT DirectorAuthor Commented:
I am running a virus scan now
0
Brian McDonaldIT ManagerCommented:
I'd look in the security log to confirm, the traffic looks like its not resolving the caller when it says "from *" its trying to logon to the domain so it makes sense the DC would be listed in the entry. Check the log and look for the logon type of the user.

Do you have any outside resources like Webmail or a VPN?

These entries could show up if an outside resource that uses AD authentication was getting hit on the web. In that case you'd have to close off the access to the resource with a firewall, etc. It doesn't necessarily mean something is on your local network. I see this traffic a lot when people try to brute force a vpn or OWA for example.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J.R. SitmanIT DirectorAuthor Commented:
I looked at the log and all the Audits are Successful.

I did have an installation of SqlServer 2014 fail today.  Could it be related

We do not have Webmail or a VPN.
0
Brian McDonaldIT ManagerCommented:
Successful in the log just means it was able to audit the event. You need to look for the failed logins with logon type 3 (network logon) and find the caller computer name.

The speed of the requests and there variation look a lot like a brute force dictionary type attack. What other resources are on site that could be compromised? You could also run wireshark on the DC to find the IP requesting the traffic or start unplugging network ports until the traffic stops.

Are you sure there are no web visible access points to your network? a website with a login, etc? that would be using the DC for authentication?
0
J.R. SitmanIT DirectorAuthor Commented:
I did check the audit events for failed logins, however, I will check it closer.

Honestly, I have no idea if there are any visible access points.  I know all our wireless routers are secure.  

I do have Wireshark.  Not too familiar with it.  Any advice will be appreciated on how to run it and test.   Thanks
0
J.R. SitmanIT DirectorAuthor Commented:
hopefully, you can help Thursday
0
Naveen SharmaCommented:
Do you have RDP open to the Internet?

If you think it's from the Internet, turn on full logging on the firewall policy for any remote access services and you may be able to identify source IPs.

If it's internal, maybe Wireshark on a mirrored switch port.

How to track the source of failed logon attempts:
https://www.petenetlive.com/KB/Article/0001209

Audit the successful or failed logon and logoff attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
0
J.R. SitmanIT DirectorAuthor Commented:
I set up the GPO's.   All of the failed login attempts are coming from the computer that is trying to be logged into.  e.g. spcala234 is trying to login to spcala234.

What should I do next?
0
J.R. SitmanIT DirectorAuthor Commented:
I figured out how to use Wireshark.  However, with all the results it is displaying what am I looking for?
0
J.R. SitmanIT DirectorAuthor Commented:
Thanks.  We blocked port 3389 on the Firewall
0
Naveen SharmaCommented:
Glad to see your issue has been resolved.

Track the Source of Failed Logon Attempts:
http://expert-advice.org/active-directory/track-the-source-of-failed-logon-attempts-in-active-directory/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.