Logon attempts - Tons of failure audits in Event Viewer on Domain Controller (Server 2003)
Solution 1
Yes, someone is trying to brute their way into your server. Either they have a way to tell if the login is failed for a nonexistent user or a wrong password, or they are trying an attack with random usernames and random passwords.
If you are confident that all your users have strong passwords, you could ignore this. You could also block the source addresses if there are only a handful of them, or change your network architecture so that you can only remote into that server from your LAN or VPN.
Solution 2
I think that our terminal server was left open to the outside and someone was attempting a dictionary attack. I'll shut off access from the outside in - as this should have been closed long ago.
Solution 3
Logon type 10 is a Remote Interactive logon attempt. So yes, these are attempts from outside entities to logon to the DC via Terminal Services. How is it that they can reach your DC?
http://www.windowsecurity.com/articles-tutorials/misc_network_security/Logon-Types.html
Related videos on Youtube
Samuel Pardee
Updated on September 18, 2022Comments
-
Samuel Pardee almost 2 years
This is what the event looks like, under Security logs. There are tons of them. Is someone trying to brute force the network? This server is also used as a terminal services server.. Thanks any advice / help would be greatly appreciated.
Authentication Ticket Request:
User Name: rosu Supplied Realm Name: my domain User ID: - Service Name: krbtgt/my domain Service ID: - Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: - Pre-Authentication Type: - Client Address: 127.0.0.1 Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:
Now if you notice the user, for each event like this one.. the user name changes and they seem to be all alphabetical attempts if I would sort by date.. The IP here is internal on this one, but for most it is an outside IP such as 213.88.247.2 .. It seems the source port on the event changes as well. Take a look at another:
Logon Failure:
Reason: Unknown user name or bad password User Name: rout Domain: my Domain Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: my Server Hostname Caller User Name: my Server Hostname$ Caller Domain: my Domain Caller Logon ID: (0x0,0x3E7) Caller Process ID: 7576 Transited Services: - Source Network Address: 213.88.247.2 Source Port: 3030
Hmm?
-
Samuel Pardee almost 10 yearsThe terminal services were enabled on the DC.. Not good!