Results 1 to 4 of 4

Thread: Local Audit Policy/Security Event Viewer

  1. #1
    Junior Member
    Join Date
    Jun 2002
    Posts
    4

    Unhappy Local Audit Policy/Security Event Viewer

    WindowsXP Pro, Admin Tools, Local Security Policy.

    I have changed the settings in the Audit Policy, setting Audit Account Log on Events and Audit Log on Events to report 'failures' in the Security Event Viewer.

    Now that I have done that, I have rather alarming failures reporting every 40 mins or so in my Security Event Viewer:

    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: Chaz
    Source Workstation: HOME-*******
    Error Code: 0xC000006A

    Failure: EventID 680


    Next failure message:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Chaz
    Domain: HOME-*******
    Logon Type: 2
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: HOME-********

    The same messages then appear for the other username set up in XP.

    The system is a stand-alone, connected by Broadband.

    The help & support center doesnt provide any information on the first event, and reports that someone is trying to log onto my network with the wrong password in the second event.

    I am logged into my account at the time of these multiple events being recorded.

    Is this coming from an outside source and what does it mean ?

    Can anyone enlighten me if this is a breach taking place, thanks

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    748

    Re: Local Audit Policy/Security Event Viewer

    Originally posted here by ChazJC
    WindowsXP Pro, Admin Tools, Local Security Policy.
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: Chaz
    Source Workstation: HOME-*******
    Error Code: 0xC000006A

    Failure: EventID 680


    Next failure message:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Chaz
    Domain: HOME-*******
    Logon Type: 2
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: HOME-********

    What are the event IDs? I would say you either have a program on your machine that is scheduled to run at a regular interval and it has the wrong password, WinAT is bad about that. Or, someone is trying to guess your password. Do you have a firewall, etc.. etc... If you want to verify for certain that it is coming across the network or not, I would recommend using netmon to capture all the data coming into the machine.

    I'm not going to get into how to read netmon traces, you would have to learn TCP/IP for that.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    regularily recurring event id often but not always indicate a misconfiguration or hardware issue...

    a type 2 logon is a local logon so if your boxes are secure physically it "probably" isn't something to get to worked up over...however...it's possible that a trojan or something like that is doing something locally that may generate this type of entry...anytime you see unusual events...it's always a good idea for a complete av scan and trojan scan...once you're happy that your system is clean you can move on to diag-ing the problem...there's only about a million and six things that could be causing the event so it's pretty hard to diag from the info you've given.. but



    there a couple of resources to check


    http://support.microsoft.com/default...;EN-US;q174073
    www.eventid.net
    http://is-it-true.org/nt/atips/atips155.shtml

    from what i see here...and it could be something else...but


    This: http://www.jsifaq.com/SUBJ/tip4700/rh4716.htm might be the issue


    try this and see what happens...

    Windows XP performs a limited logon for each account that is listed on the Welcome screen, so it will knows whether to prompt for a password.
    If you don't want these events, disable the Welcome screen and use the Classic logon screen, or turn off auditing of logon/logoff events:

    1. Start / Run / gpedit.msc / OK.

    2. Navigate to Local Computer Policy \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policy \ Audit Policy

    3. Double-click Audit logon events and clear the Success and Failure boxes.

    4. Press OK.


    fyi...

    logon type 3 is the one to watch for as this is a network logon

    and if you see:
    Event ID 529 : Unknown user name or bad password
    Event ID 530 : Logon time restriction violation
    Event ID 531 : Account disabled
    Event ID 532 : Account expired
    Event ID 533 : Workstation restriction - not allowed to logon at this computer
    Event ID 534 : Inadequate rights - as in user account attempting console login to server
    Event ID 535 : Password expired
    Event ID 536 : NetLogon service down
    Event ID 537 : unexpected error - the who knows ??? factor
    Event ID 539 : Logon Failure: Account locked out
    Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
    Event ID 644 : User account Locked out

    these are the ones to really be concerned about...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  4. #4
    Junior Member
    Join Date
    Jun 2002
    Posts
    4
    Hi, thanks for the replies. I use Zone Alarm Pro, NAV 2002, The Cleaner, PestPatrol. The system is clean. The link to jsifaq.com explained pretty much what is happening here, nothing to be alarmed at afterall. It did have me wondering though!

    Thanks for the links, they were very useful reading

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •