Re: Weird Windows logon attempts

From: Bojan Zdrnja (bojan.zdrnjaat_private)
Date: Mon Feb 24 2003 - 01:07:55 PST

Next message: Rafael Coninck Teigao: "Re: ICQ problem."

Previous message: Jacco Tunnissen: "Re: Weird Windows logon attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Hi All,

> We have just setup ntsyslog from sourceforge.net. Our security policy is to log
> events on failure and we have just started seeing the below events. After
> talking with the users we are pretty sure that they are not attempting to access
> the services. And they don't have accounts on that system.

You should see same logs in your server's event log.

> Has anyone seen this? They are 2k/XP boxes. Does Windows 2k/XP automagically try
> to find out what services are accessible?
> Any insight would be great.

Can you maybe confirm that problem is happening only when users work on
Windows XP boxes ?

> Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
> security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: USERNAME  by:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: G731-220-4  failed. The
> error code was: 3221225572

<You probably knew this>
This indicates that even 681 occured (failed logon attempt).
Error code was 3221225572, which translated in hexadecimal is 0xC0000064:
User logon with misspeled or bad user account (this confirms user don't have
account on target machine).
</You probably knew this>

Basically, you should check on both machines (server and client here) what's
happening.

I had similar problem, but only with Windows XP machines.
Solution was to switch off the setting in the Explorer for Automatic discovery
of network folders and shares.
(Tools->Folder Options->View->Advanced).
If this is not switched off, when user clicks on My Network places, his
computer tries to get shared resources list of all computers on the LAN.

Other problem with this, besides it's filling your logs on servers, is that
if you have some Pre-Win2K machines on the network, XP will transmit it's
password to those machines as well. It will transmit LM hash which is weak.
You can disable Windows XP generating LM hash by modifying following
registry key:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash

it's value should be set to 1 (REG_DWORD).
More info about this at: http://www.sans.org/top20/#W6


Best regards,

Bojan Zdrnja

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Rafael Coninck Teigao: "Re: ICQ problem."
Previous message: Jacco Tunnissen: "Re: Weird Windows logon attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 24 2003 - 14:08:58 PST