Local Audit Policy/Security Event Viewer
WindowsXP Pro, Admin Tools, Local Security Policy.
I have changed the settings in the Audit Policy, setting Audit Account Log on Events and Audit Log on Events to report 'failures' in the Security Event Viewer.
Now that I have done that, I have rather alarming failures reporting every 40 mins or so in my Security Event Viewer:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Chaz
Source Workstation: HOME-*******
Error Code: 0xC000006A
Failure: EventID 680
Next failure message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Chaz
Domain: HOME-*******
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: HOME-********
The same messages then appear for the other username set up in XP.
The system is a stand-alone, connected by Broadband.
The help & support center doesnt provide any information on the first event, and reports that someone is trying to log onto my network with the wrong password in the second event.
I am logged into my account at the time of these multiple events being recorded.
Is this coming from an outside source and what does it mean ? :confused:
Can anyone enlighten me if this is a breach taking place, thanks
Re: Local Audit Policy/Security Event Viewer
Quote:
Originally posted here by ChazJC
WindowsXP Pro, Admin Tools, Local Security Policy.
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Chaz
Source Workstation: HOME-*******
Error Code: 0xC000006A
Failure: EventID 680
Next failure message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Chaz
Domain: HOME-*******
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: HOME-********
What are the event IDs? I would say you either have a program on your machine that is scheduled to run at a regular interval and it has the wrong password, WinAT is bad about that. Or, someone is trying to guess your password. Do you have a firewall, etc.. etc... If you want to verify for certain that it is coming across the network or not, I would recommend using netmon to capture all the data coming into the machine.
I'm not going to get into how to read netmon traces, you would have to learn TCP/IP for that.