LDD15 said:
We are operating SBS2003. Today I noted that there where over 1000 login
failures for one particular user. This user was not on the premisis during
I am sure you do understand this, but the use of "user" with two different
meanings above troubles me, and it might lead to less than full clarity
about what is happening. This about "account" and "individual" instead
of "user" in the first and second cases of "user" above.
the hours when these occured. I noticed that the Failure audit had a type
3
which indicates that someone tried to log on over the network. Another
interesting point is that the failure audit indicates that the user name
and
password were correct. I assume however, based upon the quantity of
attemtpts
I do not understand. Username and password were correct ? but the login
failed ? is that where the subject about login time constraint comes in ?
that someone is doing this with a script. How should I proceed?
Perhaps someone, more likely some thing
While is it possible that someone was using a tool to specifically
target your environment, it is more common to see such probes
from bot net / infected / zonbie machines which would probably
bring the environment to the notice of a "someone" or group thereof
if a correct access was uncovered.
You need to determine where this came from, at least as
far as the "from inside or outside" question. If that is not
a real distinction in you environment then you probably
need to rethink how the capabilities of SBS are being used.
If it is from inside, trace it down and find what is originating
this, which could be some errant process or some infection
on a machine that is logged into by that account (perhaps
locked, not hibernated, not on standby).
If it is from outside, try to determine what interface, that is
what access capability, was being utilized, and then ask
why that is exposed to the outside (in fact you should examine
all external exposures asking for each whether they are needed
and if so whether exposed in the most secure but usable way).