Logon attempts - Tons of failure audits in Event Viewer on Domain Controller (Server 2003)

login windows-event-log audit eventviewer failed
14,235

Solution 1

Yes, someone is trying to brute their way into your server. Either they have a way to tell if the login is failed for a nonexistent user or a wrong password, or they are trying an attack with random usernames and random passwords.

If you are confident that all your users have strong passwords, you could ignore this. You could also block the source addresses if there are only a handful of them, or change your network architecture so that you can only remote into that server from your LAN or VPN.

Solution 2

I think that our terminal server was left open to the outside and someone was attempting a dictionary attack. I'll shut off access from the outside in - as this should have been closed long ago.

Solution 3

Logon type 10 is a Remote Interactive logon attempt. So yes, these are attempts from outside entities to logon to the DC via Terminal Services. How is it that they can reach your DC?

http://www.windowsecurity.com/articles-tutorials/misc_network_security/Logon-Types.html

Share:
14,235

Related videos on Youtube

Samuel Pardee
Author by

Samuel Pardee

Updated on September 18, 2022

Comments

  • Samuel Pardee
    Samuel Pardee almost 2 years

    This is what the event looks like, under Security logs. There are tons of them. Is someone trying to brute force the network? This server is also used as a terminal services server.. Thanks any advice / help would be greatly appreciated.

    Authentication Ticket Request:

    User Name:      rosu
Supplied Realm Name:    my domain
User ID:            -
Service Name:       krbtgt/my domain
Service ID:     -
Ticket Options:     0x40810010
Result Code:        0x6
Ticket Encryption Type: -
Pre-Authentication Type:    -
Client Address:     127.0.0.1
Certificate Issuer Name:    
Certificate Serial Number:  
Certificate Thumbprint:

    Now if you notice the user, for each event like this one.. the user name changes and they seem to be all alphabetical attempts if I would sort by date.. The IP here is internal on this one, but for most it is an outside IP such as 213.88.247.2 .. It seems the source port on the event changes as well. Take a look at another:

    Logon Failure:

    Reason:     Unknown user name or bad password
User Name:  rout
Domain:     my Domain
Logon Type: 10
Logon Process:  User32  
Authentication Package: Negotiate
Workstation Name:   my Server Hostname
Caller User Name:   my Server Hostname$
Caller Domain:  my Domain
Caller Logon ID:    (0x0,0x3E7)
Caller Process ID:  7576
Transited Services: -
Source Network Address: 213.88.247.2
Source Port:    3030

    Hmm?

  • Samuel Pardee
    Samuel Pardee almost 10 years
    The terminal services were enabled on the DC.. Not good!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to configure MS SQL Server 2008 R2 (login failed for user)?
Server Hanging - Server Event Viewer
Disable audit of Logon Logoff
Is it possible to enable logging of RDP connections / disconnections under Windows XP and Windows 7?
Login Failed For User PCname/Guest
How to track which process is failing logons?
WinXP Event Viewer: Internet Explorer - how to log events?
Tracking who installed Software on server
Why is the user name "N/A" for most of the event log entries? How to get it filled in?
See what time a user logged into a windows box