Microsoft
Software
Hardware
Network
Question : Audit Failure on Windows 2008
I received a new Dell server for our firm yesterday. I set it up initially to let it run for a 5 day burn-in period. I installed Windows 2008 Std SP2, hardware drivers, Symantec Endpoint Protection 11.0.5 and Adobe acrobat. I have not installed any additional microsoft updates other than SP2 that came in the media download..
The environment consists of a win 2000 server (in domain & DC), Win 2003 server (in domain) and 20 domain workstations running XP Pro. All systems run the current release of Symantec Endpoint Protection. The server is not in the domain yet. It's a standaolne with no AD installed.
This morning I checked the system logs and found multiple events that looks like someone is truing to hack into it. Here are the events I found. Let me know what I should do.
Log Name: Security
Source: Microsoft-Windows-Security
-Auditing
Date: 5/22/2010 7:47:35 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: server8
Description:
An account failed to log on.
Subject:
Security ID: server8\Administrator
Account Name: Administrator
Account Domain: server8
Logon ID: 0x3824b82
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xda8
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: server8
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
ACKAGE_V1_
0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where
access was attempted.
The Subject fields indicate the account on the local system which requested the logon.
This is most commonly a service such as the Server service, or a local process such as
Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common
types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested
the logon.
The Network Information fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific
logon request.
- Transited services indicate which intermediate services have participated in this
logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no
session key was requested.
Event Xml:
<Event xmlns="
http://schemas.micr
osoft.com/
win/2004/0
8/events/e
vent
">
<System>
<Provider Name="Microsoft-Windows-Se
curity-Aud
iting"
Guid="{54849625-5478-4994-
a5ba-3e3b0
328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
00</Keywor
ds>
<TimeCreated SystemTime="2010-05-22T12:
47:35.390Z
" />
<EventRecordID>409</EventR
ecordID>
<Correlation />
<Execution ProcessID="676" ThreadID="3088" />
<Channel>Security</Channel
>
<Computer>server8</Compute
r>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
5-21-36283
22202-2619
417080-190
2112590-50
0</Data>
<Data Name="SubjectUserName">Adm
inistrator
</Data>
<Data Name="SubjectDomainName">s
erver8</Da
ta>
<Data Name="SubjectLogonId">0x38
24b82</Dat
a>
<Data Name="TargetUserSid">S-1-0
-0</Data>
<Data Name="TargetUserName">Admi
nistrator<
/Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc000006d</
Data>
<Data Name="FailureReason">%%231
3</Data>
<Data Name="SubStatus">0xc000006
a</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">Ad
vapi </Data>
<Data Name="AuthenticationPackag
eName">MIC
ROSOFT_AUT
HENTICATIO
N_PACKAGE_
V1_0</Data
>
<Data Name="WorkstationName">ser
ver8</Data
>
<Data Name="TransmittedServices"
>-</Data>
<Data Name="LmPackageName">-</Da
ta>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0xda8</Da
ta>
<Data Name="ProcessName">C:\Wind
ows\explor
er.exe</Da
ta>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security
-Auditing
Date: 5/21/2010 11:38:15 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: server8
Description:
An account failed to log on.
Subject:
Security ID: server8\Administrator
Account Name: Administrator
Account Domain: server8
Logon ID: 0x26a59
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: server8
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xb34
Caller Process Name: C:\Windows\SysWOW64\msiexe
c.exe
Network Information:
Workstation Name: server8
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where
access was attempted.
The Subject fields indicate the account on the local system which requested the logon.
This is most commonly a service such as the Server service, or a local process such as
Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common
types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested
the logon.
The Network Information fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific
logon request.
- Transited services indicate which intermediate services have participated in this
logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no
session key was requested.
Event Xml:
<Event xmlns="
http://schemas.micr
osoft.com/
win/2004/0
8/events/e
vent
">
<System>
<Provider Name="Microsoft-Windows-Se
curity-Aud
iting"
Guid="{54849625-5478-4994-
a5ba-3e3b0
328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
00</Keywor
ds>
<TimeCreated SystemTime="2010-05-21T16:
38:15.422Z
" />
<EventRecordID>374</EventR
ecordID>
<Correlation />
<Execution ProcessID="676" ThreadID="3456" />
<Channel>Security</Channel
>
<Computer>server8</Compute
r>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
5-21-36283
22202-2619
417080-190
2112590-50
0</Data>
<Data Name="SubjectUserName">Adm
inistrator
</Data>
<Data Name="SubjectDomainName">s
erver8</Da
ta>
<Data Name="SubjectLogonId">0x26
a59</Data>
<Data Name="TargetUserSid">S-1-0
-0</Data>
<Data Name="TargetUserName">Admi
nistrator<
/Data>
<Data Name="TargetDomainName">se
rver8</Dat
a>
<Data Name="Status">0xc000006d</
Data>
<Data Name="FailureReason">%%231
3</Data>
<Data Name="SubStatus">0xc000006
a</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">Ad
vapi </Data>
<Data Name="AuthenticationPackag
eName">Neg
otiate</Da
ta>
<Data Name="WorkstationName">ser
ver8</Data
>
<Data Name="TransmittedServices"
>-</Data>
<Data Name="LmPackageName">-</Da
ta>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0xb34</Da
ta>
<Data Name="ProcessName">C:\Wind
ows\SysWOW
64\msiexec
.exe</Data
>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security
-Auditing
Date: 5/21/2010 11:33:05 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: server8
Description:
An account failed to log on.
Subject:
Security ID: server8\Administrator
Account Name: Administrator
Account Domain: server8
Logon ID: 0x26a59
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: server8
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
Process Information:
Caller Process ID: 0xb7c
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: server8
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where
access was attempted.
The Subject fields indicate the account on the local system which requested the logon.
This is most commonly a service such as the Server service, or a local process such as
Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common
types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested
the logon.
The Network Information fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific
logon request.
- Transited services indicate which intermediate services have participated in this
logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no
session key was requested.
Event Xml:
<Event xmlns="
http://schemas.micr
osoft.com/
win/2004/0
8/events/e
vent
">
<System>
<Provider Name="Microsoft-Windows-Se
curity-Aud
iting"
Guid="{54849625-5478-4994-
a5ba-3e3b0
328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
00</Keywor
ds>
<TimeCreated SystemTime="2010-05-21T16:
33:05.797Z
" />
<EventRecordID>370</EventR
ecordID>
<Correlation />
<Execution ProcessID="676" ThreadID="3456" />
<Channel>Security</Channel
>
<Computer>server8</Compute
r>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
5-21-36283
22202-2619
417080-190
2112590-50
0</Data>
<Data Name="SubjectUserName">Adm
inistrator
</Data>
<Data Name="SubjectDomainName">s
erver8</Da
ta>
<Data Name="SubjectLogonId">0x26
a59</Data>
<Data Name="TargetUserSid">S-1-0
-0</Data>
<Data Name="TargetUserName">Gues
t</Data>
<Data Name="TargetDomainName">se
rver8</Dat
a>
<Data Name="Status">0xc000006e</
Data>
<Data Name="FailureReason">%%231
0</Data>
<Data Name="SubStatus">0xc000007
2</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Ad
vapi </Data>
<Data Name="AuthenticationPackag
eName">Neg
otiate</Da
ta>
<Data Name="WorkstationName">ser
ver8</Data
>
<Data Name="TransmittedServices"
>-</Data>
<Data Name="LmPackageName">-</Da
ta>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0xb7c</Da
ta>
<Data Name="ProcessName">C:\Wind
ows\explor
er.exe</Da
ta>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security
-Auditing
Date: 5/21/2010 10:45:17 AM
Event ID: 5032
Task Category: Other System Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: server8
Description:
Windows Firewall was unable to notify the user that it blocked an application from
accepting incoming connections on the network.
Error Code: 2
Event Xml:
<Event xmlns="
http://schemas.micr
osoft.com/
win/2004/0
8/events/e
vent
">
<System>
<Provider Name="Microsoft-Windows-Se
curity-Aud
iting"
Guid="{54849625-5478-4994-
a5ba-3e3b0
328c30d}" />
<EventID>5032</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12292</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
00</Keywor
ds>
<TimeCreated SystemTime="2010-05-21T15:
45:17.443Z
" />
<EventRecordID>315</EventR
ecordID>
<Correlation />
<Execution ProcessID="692" ThreadID="1588" />
<Channel>Security</Channel
>
<Computer>server8</Compute
r>
<Security />
</System>
<EventData>
<Data Name="ErrorCode">2</Data>
</EventData>
</Event>
Answer : Audit Failure on Windows 2008
someone is trying to RDP and map network drives to your new server, either it's someone inside your network or is your new server inside a DMZ?
think you have bigger problems than just this one server...
Random Solutions
How to find the layout of a network when doing counsulting?
IT / Programming BEST practice in the long run
FQDN for new domain tree
Excel to Word data merge: suppress page breaks
Vbscript to set focus when you only know part of a windows name
Cannot Install PEAR Packages
DatetimePicker Problem C#
ASP.net Missing something?!?!
Differences between full versions and "Click-to-Run" versions of MS Office
Reetrieving SQL data from a store procedure in ASP