Failure Audit Question

[Guest]

Hi all,

I am looking though my Security log on a Windows 2000 sp4 server that has
Exchange 2000 running on it. The system is located in a DMZ, and only port 25
is allowed through our firewall to it.

I am however noticing a bunch of failure audits as such:

EventID 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: ALTHEA$
Domain: AWM
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ALTHEA
--and--
EventID 681
The logon to account: ALTHEA$
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: ALTHEA
failed. The error code was: 3221225572

The computer names and domain names in these log messages do not mean
anything to me, and are not a part of our private AD domain... and I am not
sure of what the next step should be? If we are on a private LAN (with no
visitors) and only port 25 is allowed to the server from the outside world,
where could it be getting these workstation logon attempts from?

Thanks for any advice...

 

[Guest]

Here is what I think...
The translation of 3221225572 is C0000064 User logon with misspelled or bad
user account, and the User Name with a "$" at the end is usually a
workstation account. What this could very well be is a workstation that
someone what plugged in to your network at the workstation is rebooted, it is
attempting to login to the domain. This is not usually serious unless you
have a policy not to allow users to bring in personal workstations...

HTH
Ozone

This could be someone

 

[Roger Abell [MVP]]

Notice it negotiated use of Ntlm. No way is this going to happen
over Tcp port 25. Thus, you have a machine attached to / accessing
the inner side of that DMZ firewall.