Re: Failure Audit for Event id 675

[ilaiy <ilaiy.e () gmail com>]

DC would be the domain controller ..

./thanks
ilaiy

On 4/19/06, Dana Hudnall <danahudnall () hotmail com> wrote:
> I hate to sound dumb (but I usually do anyway) but what does DC stand for?
> Is that an auditing tool?
>
> Dana
> DANA HUDNALL
> ----- Original Message -----
> From: "rs" <rsmade () gmail com>
> To: "Tyler, Grayling" <ggtyler () foodlion com>
> Cc: <security-basics () securityfocus com>
> Sent: Wednesday, April 19, 2006 12:07 PM
> Subject: Re: Failure Audit for Event id 675
>
>
> > Tyler, Grayling wrote:
> > > When a user attempts to log on at a workstation with a bad password, the
> > > DC records event ID 675 (pre-authentication failed) with Failure Code 24
> > > (0x18 hex). By reviewing each of your DC Security logs for this event
> > > and failure code, you can track every domain logon attempt that failed
> > > as a result of a bad password. The IP address in the event log reflects
> > > the system from which the logon attempt originated (since yours has
> > > 127.0.0.1 I assume you changed the real IP before sending the question
> > > in to the list(which would be a smart thing to do).
> > >
> > >
> > >
> > >  -----Original Message-----
> > > From: rs [mailto:rsmade () gmail com] Sent: Monday, April 17, 2006 4:49 PM
> > > To: security-basics () securityfocus com
> > > Subject: Failure Audit for Event id 675
> > >
> > > I am receiving a ton of Event 675 Failure Audits on my DC. Windows 2003
> > > Mixed mode Domain and this is the pdc emulator. The bulk of these are
> > > arriving as follows:
> > >
> > > Event Type: Failure Audit
> > > Event Source: Security
> > > Event Category: Account Logon
> > > Event ID: 675
> > > Date: 4/17/2006
> > > Time: 4:38:56 PM
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: DC01
> > > Description:
> > > Pre-authentication failed:
> > >   User Name: Admin
> > >   User ID: OURDOMAIN\Admin
> > >   Service Name: krbtgt/OURDOMAIN
> > >   Pre-Authentication Type: 0x2
> > >   Failure Code: 0x18
> > >   Client Address: 127.0.0.1
> > >
> > > I can't identify any process using this account on the DC. A reboot did
> > > not solve the issue. A lot of searching on the we has pointed to time
> > > issues dealing with kerberos but that does not seem to be it. The strange
> > > part is the client address being 127.0.0.1. Could this just be a
> > >
> > > virus out on our network reporting 127.0.0.1 as its source during
> > > authentication attempts? Has anyone seen anything like this?
> > >
> > > ------------------------------------------------------------------------
> > > -
> > > This List Sponsored by: Webroot
> > >
> > > Don't leave your confidential company and customer records un-protected.
> > >
> > > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > > eradicate spyware from their networks.
> > > FREE 30-Day Trial of Spy Sweeper Enterprise
> > >
> > > http://www.webroot.com/forms/enterprise_lead.php
> > > ------------------------------------------------------------------------
> > > --
> > >
> > > **************************************************************************
> > > This electronic message may contain confidential or privileged
> > > information
> > > and is intended for the individual or entity named above.  If you are not
> > > the intended recipient, be aware that any disclosure, copying,
> > > distribution or use of the contents of this information is prohibited. If
> > > you have received this electronic transmission in error, please notify
> > > the sender immediately by using the e-mail address or by telephone
> > > (704-633-8250).
> > > **************************************************************************
> > No, 127.0.01 was the actual source IP recorded for the event which is part
> > of the reason this is not making sense.
> >
> > -------------------------------------------------------------------------
> > This List Sponsored by: Webroot
> >
> > Don't leave your confidential company and customer records un-protected.
> > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > eradicate spyware from their networks.
> > FREE 30-Day Trial of Spy Sweeper Enterprise
> >
> > http://www.webroot.com/forms/enterprise_lead.php
> > --------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> obligation. See why so many companies trust Spy Sweeper Enterprise to
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------