T
Tim S.
I have a Windows 2000 network running in mixed mode
(mostly WIN2K servers) and all WIN2K desktops. We are a
state agency that is part of the larger states forest. I
imported and implemented the securedc.inf group security
policy on the network two days ago. Now I notice that
some of my WIN2K my servers are generating Security Event
IDs 529 and 681 in the Event logs. I found out that these
events are recording unsuccessful authentications /
logins. They were probably happening all along but the new
group policy is recording them. The problem is that all of
these events (529 and 681) are being generated by two
servers outside of my domain. I spoke with the admins for
the other domains and they have no idea what is going on.
They say these servers are secured in server rooms with
restricted access so I am guessing that someone is not
trying to hack into my network. The domains involved have
no relationship with our agency and although I can see the
domains in Network Neighborhood I do not have access to
them and vise versa. My question is what is happening and
why only these tow servers. There are over a 1000 servers
in the forest so there must be something configured
incorrectly on these two otherwise why wouldn't the other
servers be generating the events as well. The logs are
listed below.
/21/2004 11:36:37 AM Security
Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM
TEST_REGION123 "Logon Failure:
Reason: Unknown user name or bad password
User Name: SVC_Profile
Domain: EPS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: EPS-INF-PAR-001 "
4/21/2004 11:36:37 AM Security
Failure Audit Account Logon 681 NT AUTHORITY\SYSTEM
TEST_REGION123 The logon to account: SVC_Profile
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: EPS-INF-PAR-001
failed. The error code was: 3221225572
(mostly WIN2K servers) and all WIN2K desktops. We are a
state agency that is part of the larger states forest. I
imported and implemented the securedc.inf group security
policy on the network two days ago. Now I notice that
some of my WIN2K my servers are generating Security Event
IDs 529 and 681 in the Event logs. I found out that these
events are recording unsuccessful authentications /
logins. They were probably happening all along but the new
group policy is recording them. The problem is that all of
these events (529 and 681) are being generated by two
servers outside of my domain. I spoke with the admins for
the other domains and they have no idea what is going on.
They say these servers are secured in server rooms with
restricted access so I am guessing that someone is not
trying to hack into my network. The domains involved have
no relationship with our agency and although I can see the
domains in Network Neighborhood I do not have access to
them and vise versa. My question is what is happening and
why only these tow servers. There are over a 1000 servers
in the forest so there must be something configured
incorrectly on these two otherwise why wouldn't the other
servers be generating the events as well. The logs are
listed below.
/21/2004 11:36:37 AM Security
Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM
TEST_REGION123 "Logon Failure:
Reason: Unknown user name or bad password
User Name: SVC_Profile
Domain: EPS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: EPS-INF-PAR-001 "
4/21/2004 11:36:37 AM Security
Failure Audit Account Logon 681 NT AUTHORITY\SYSTEM
TEST_REGION123 The logon to account: SVC_Profile
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: EPS-INF-PAR-001
failed. The error code was: 3221225572