Local Audit Policy/Security Event Viewer

Printable View

June 16th, 2002, 09:37 PM
ChazJC

Local Audit Policy/Security Event Viewer

WindowsXP Pro, Admin Tools, Local Security Policy.

I have changed the settings in the Audit Policy, setting Audit Account Log on Events and Audit Log on Events to report 'failures' in the Security Event Viewer.

Now that I have done that, I have rather alarming failures reporting every 40 mins or so in my Security Event Viewer:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Chaz
Source Workstation: HOME-*******
Error Code: 0xC000006A

Failure: EventID 680

Next failure message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Chaz
Domain: HOME-*******
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: HOME-********

The same messages then appear for the other username set up in XP.

The system is a stand-alone, connected by Broadband.

The help & support center doesnt provide any information on the first event, and reports that someone is trying to log onto my network with the wrong password in the second event.

I am logged into my account at the time of these multiple events being recorded.

Is this coming from an outside source and what does it mean ? :confused:

Can anyone enlighten me if this is a breach taking place, thanks
June 19th, 2002, 04:46 PM
mohaughn

Re: Local Audit Policy/Security Event Viewer

Quote:

Originally posted here by ChazJC
WindowsXP Pro, Admin Tools, Local Security Policy.
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Chaz
Source Workstation: HOME-*******
Error Code: 0xC000006A

Failure: EventID 680

Next failure message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Chaz
Domain: HOME-*******
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: HOME-********

What are the event IDs? I would say you either have a program on your machine that is scheduled to run at a regular interval and it has the wrong password, WinAT is bad about that. Or, someone is trying to guess your password. Do you have a firewall, etc.. etc... If you want to verify for certain that it is coming across the network or not, I would recommend using netmon to capture all the data coming into the machine.

I'm not going to get into how to read netmon traces, you would have to learn TCP/IP for that.
June 19th, 2002, 06:30 PM
zigar

regularily recurring event id often but not always indicate a misconfiguration or hardware issue...

a type 2 logon is a local logon so if your boxes are secure physically it "probably" isn't something to get to worked up over...however...it's possible that a trojan or something like that is doing something locally that may generate this type of entry...anytime you see unusual events...it's always a good idea for a complete av scan and trojan scan...once you're happy that your system is clean you can move on to diag-ing the problem...there's only about a million and six things that could be causing the event so it's pretty hard to diag from the info you've given.. but

there a couple of resources to check

http://support.microsoft.com/default...;EN-US;q174073
www.eventid.net
http://is-it-true.org/nt/atips/atips155.shtml

from what i see here...and it could be something else...but

This: http://www.jsifaq.com/SUBJ/tip4700/rh4716.htm might be the issue

try this and see what happens...

Quote:

Windows XP performs a limited logon for each account that is listed on the Welcome screen, so it will knows whether to prompt for a password.
If you don't want these events, disable the Welcome screen and use the Classic logon screen, or turn off auditing of logon/logoff events:

1. Start / Run / gpedit.msc / OK.

2. Navigate to Local Computer Policy \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policy \ Audit Policy

3. Double-click Audit logon events and clear the Success and Failure boxes.

4. Press OK.

fyi...

logon type 3 is the one to watch for as this is a network logon

and if you see:
Event ID 529 : Unknown user name or bad password
Event ID 530 : Logon time restriction violation
Event ID 531 : Account disabled
Event ID 532 : Account expired
Event ID 533 : Workstation restriction - not allowed to logon at this computer
Event ID 534 : Inadequate rights - as in user account attempting console login to server
Event ID 535 : Password expired
Event ID 536 : NetLogon service down
Event ID 537 : unexpected error - the who knows ??? factor
Event ID 539 : Logon Failure: Account locked out
Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
Event ID 644 : User account Locked out

these are the ones to really be concerned about...
June 20th, 2002, 10:32 PM
ChazJC

Hi, thanks for the replies. I use Zone Alarm Pro, NAV 2002, The Cleaner, PestPatrol. The system is clean. The link to jsifaq.com explained pretty much what is happening here, nothing to be alarmed at afterall. It did have me wondering though!

Thanks for the links, they were very useful reading
:D