Multiple Logon Failure/Success Audits

[Guest]

Hi:

1. While trying to login remotely to my XP machine (say XP1), I noticed
multiple 'failure audits' from this machine (XP2). I did login incorrectly
once and that was a valid entry to be seen in the logs of XP1. However, there
were multiple such entries of which I am clueless about.
Any help is appreciated.

 

[Steven L Umbach]

It is not unusual to see multiple logon failures recorded for a single
failed logon attempt and these failures would have the same approximate
timestamp. If you are seeing a lot of logon failures at different times and
days then someone may be trying to access your computer and your best
defense is to use a very strong user password or smart card for any account
that is allowed to access the computer remotely. If you can configure your
firewall to allow remote access attempts only from authorized IP addresses
that can increase security but may not be possible if the users that need
access do not have a static public IP address or roam from place to place.
L2tp can also increase security because it requires that both computer
[first] and user authenticate to the VPN connection ideally with
certificates. --- Steve

 

[Guest]

While the password, who can access remotely and the like policies are in
place, what bothers me is that for a single bad logon, tens of entries are
made in approximately a second or two.
While brute force is a possibility here, all the log entries point tothe
machine XP2, where I was sitting and trying to login remotely. Hence, this
possibility can be disregarded ( There were no tools running during this time
on XP2 - made sure of that).
And wow! I didn't know I could type my password so many times in a second!!

Jokes apart, any further ideas are appreciated.

Thanks

It is not unusual to see multiple logon failures recorded for a single
failed logon attempt and these failures would have the same approximate
timestamp. If you are seeing a lot of logon failures at different times and
days then someone may be trying to access your computer and your best
defense is to use a very strong user password or smart card for any account
that is allowed to access the computer remotely. If you can configure your
firewall to allow remote access attempts only from authorized IP addresses
that can increase security but may not be possible if the users that need
access do not have a static public IP address or roam from place to place.
L2tp can also increase security because it requires that both computer
[first] and user authenticate to the VPN connection ideally with
certificates. --- Steve

Hi:

1. While trying to login remotely to my XP machine (say XP1), I noticed
multiple 'failure audits' from this machine (XP2). I did login
incorrectly
once and that was a valid entry to be seen in the logs of XP1. However,
there
were multiple such entries of which I am clueless about.
Any help is appreciated.

 

[Steven L Umbach]

That is known behavior in Windows and in part the number of entries depends
on the number of authentication methods that are allowed as shown in the
security option for lan manager authentication level in Local Security
Policy [assuming XP pro] where you may want to configure it to send ntlmv2
response only for all your computers if you do not have a need to use file
and print sharing ever with W9X computers. Also this is a reason Microsoft
suggests for those using account lockout to use an account lockout threshold
of no less than ten bad attempts. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/576.mspx
--- lan manager authentication level

While the password, who can access remotely and the like policies are in
place, what bothers me is that for a single bad logon, tens of entries are
made in approximately a second or two.
While brute force is a possibility here, all the log entries point tothe
machine XP2, where I was sitting and trying to login remotely. Hence, this
possibility can be disregarded ( There were no tools running during this
time
on XP2 - made sure of that).
And wow! I didn't know I could type my password so many times in a
second!!

Jokes apart, any further ideas are appreciated.

Thanks

It is not unusual to see multiple logon failures recorded for a single
failed logon attempt and these failures would have the same approximate
timestamp. If you are seeing a lot of logon failures at different times
and
days then someone may be trying to access your computer and your best
defense is to use a very strong user password or smart card for any
account
that is allowed to access the computer remotely. If you can configure
your
firewall to allow remote access attempts only from authorized IP
addresses
that can increase security but may not be possible if the users that need
access do not have a static public IP address or roam from place to
place.
L2tp can also increase security because it requires that both computer
[first] and user authenticate to the VPN connection ideally with
certificates. --- Steve

Hi:

1. While trying to login remotely to my XP machine (say XP1), I
noticed
multiple 'failure audits' from this machine (XP2). I did login
incorrectly
once and that was a valid entry to be seen in the logs of XP1. However,
there
were multiple such entries of which I am clueless about.
Any help is appreciated.