[windows2000] Just Checking

  • From: "Greg Reese" <GReese@xxxxxxxxxxxxxxxx>
  • To: <windows2000@xxxxxxxxxxxxx>
  • Date: Sun, 26 Oct 2003 20:42:20 -0500

I have a bunch of strange stuff in my security log on my exchange server and 
think someone may have been trying to break into my server.  The server is 
Windows 200 SP4 with all available updates. 

In my log I have this:

A trusted logon process has registered with the Local Security Authority. This 
logon process will be trusted to submit logon requests. 
 Logon Process Name:    \inetinfo.exe 

Followed by a ton of failed login attempts for users that do not exist on my 
network like Administrator, root, test, admin, abc, master, webmaster, web, 
www, backup, server and a bunch of others.  Several hundred failures in all 
maybe 50 or so per id.  All the failed messages read like this:

Logon Failure:
        Reason:         Unknown user name or bad password
        User Name:      backup
        Logon Type:     3
        Logon Process:  Advapi  
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       <my servername>

This server is behind my firewall but my firewall does have NAT entries to is 
for mail and web because it is my exchange server and my IIS server.  The only 
pages I serve up for IIS is for corporate use.  Web Interface for Citrix and 
webmail for exchange.

Have I missed something else to lock down that allowed this to happen or is 
this regular stuff when I have an IIS server open to the internet?

This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you know, 
in most cases, CPU Utilization IS NOT the single biggest constraint to scaling 
up?! Get this free white paper to understand the real constraints & how to 
overcome them. SAVE MONEY by scaling-up rather than buying more servers.
To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts:

  • » [windows2000] Just Checking