Re: Weird Windows logon attempts

> Hi All,

> We have just setup ntsyslog from sourceforge.net. Our security policy is to log

You should see same logs in your server's event log.

> Has anyone seen this? They are 2k/XP boxes. Does Windows 2k/XP automagically try

Can you maybe confirm that problem is happening only when users work on Windows XP boxes ?

> Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz
> security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The
> error code was: 3221225572

<You probably knew this>
This indicates that even 681 occured (failed logon attempt). Error code was 3221225572, which translated in hexadecimal is 0xC0000064: User logon with misspeled or bad user account (this confirms user don't have account on target machine).
</You probably knew this>

Basically, you should check on both machines (server and client here) what's happening.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I had similar problem, but only with Windows XP machines. Solution was to switch off the setting in the Explorer for Automatic discovery of network folders and shares.
(Tools->Folder Options->View->Advanced). If this is not switched off, when user clicks on My Network places, his computer tries to get shared resources list of all computers on the LAN.

Other problem with this, besides it's filling your logs on servers, is that if you have some Pre-Win2K machines on the network, XP will transmit it's password to those machines as well. It will transmit LM hash which is weak. You can disable Windows XP generating LM hash by modifying following registry key:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash

it's value should be set to 1 (REG_DWORD). More info about this at: http://www.sans.org/top20/#W6

Best regards,

Bojan Zdrnja

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> Received on Mon Feb 24 17:10:33 2003