From: Sam Shumway [sshumway@AXENT.COM]
Sent: Thursday, November 18, 1999 11:09 AM
To: WIN2KSECADVICE@LISTSERV.NTSECURITY.NET
Subject: Re: Eventviewer logs of failed log-on's

My research indicates if the user process is:
User32 - then the logon attempt was to the workstations desktop (local
logon)
Advapi - then the logon attempt was via IIS using clear text authentication
NtLmSsp - then the logon attempt was via IIS using NT challange and response
KSecDD - then the logon attempt was via the network to a resource on the
workstation (attaching to a share)

Because the logon attempt was via IIS and it was clear text I'd guess the
domain info wasn't available. The attempt may have come from a non-Windows
box.

Sam


> -----Original Message-----
> From: Seth Georgion [SMTP:SysAdmin@SASSPRODUCTIONS.COM]
> Sent: Wednesday, November 17, 1999 1:16 PM
> To:   WIN2KSECADVICE@LISTSERV.NTSECURITY.NET
> Subject:      Eventviewer logs of failed log-on's
> 
> Okay, after going through an event log one day and finding 400 different
> failed log-on attempts to one persons account I decided to do some
> investigation. The log that came was this,
>  
> Date: 11/5/99                                        Event ID: 529
> Time:  6:49:01PM                                  Source: Security
> User:  NT Authority\SYSTEM                 Type: Failure Audit
> Computer: INTERGATE                         Category: Logon/Logoff
>  
> __________________________________________________________
> Logon Failure
>             Reason:                            Unknown user name or bad
> password
>             User Name:                       dlloyd
>             Domain:    
>             Logon Type:                        3
>             Logon Process:                   advapi
>             Authentication Package       
> MICROSOFT_AUTHENTICATION-PACKAGE-V1_0
>             Workstation Name:             INTERGATE
>  
>  
> First of all INTERGATE is the name of the PDC involved and all log-on
> attempts came from outside and their source was confirmed with router
> logs. Here's the question, there is a whole lot of confusion as to why the
> Domain field is blank (I didn't delete it) and also as which name should
> be included in the workstation name. The other thing is what's the diff
> between advapi as a logon process and KSecDD. For refernce the MS KB
> article that tries to explain some of this is 150530 and it seems to
> indicate that my own domain should be in that field. And especialy not the
> domain of the attackers workstation (if it's seperate of mine). In
> addition Microsoft stated that the workstation name should be the name of
> the computer that the person was trying to break into and not their own
> computer. That kind of makes sense to me but a while back someone called
> us alleging that our computers had been broken into and used to launch
> attacks against their computers. They then gave us an event log for proof
> that contained our computers info in the workstation and Domain name. 
>  
> Anybody know if the log on your PDC is supposed to show the attacked
> computers workstation and domain or the attackers workstation and domain?
> And what's the differences with the logon processes