Millions of Audit Failures

[Daniel Kramberger]

Hi,
I have tried to find information regarding allot of Events
that appear in our event logs. We run resource domains
(nt4) with a active directory master domain. The domain is
in mixed mode and can't be changed at the moment. The
problem is that the event logs fills up with Event: Audit
Failure [Account logon] ID 675 and 681. Does anyone know
why these messages appear?
There is only W2k sp3 DC's in the "master domain". And all
the users are located there. All clients both NT4 and W2k
are located in the resource domains.

Best Regards
Daniel

 

[Steven L Umbach]

Hi Daniel. If you are exposed to the internet without a properly configured firewall,
these failures could be coming from there - usually you will see unrecognizable
domain and machine names if that is the case. Otherwise curious or malicious users
could be trying to access shares they see in Network Places or via unc attempts. If
you get an access denied that way a failure audit will be recorded. You may want to
implement an account lockout policy, but don't use too low of a threshold. Microsoft
says use ten as an absolute minimum. Time synch is also very important for kerberos.
Make sure that the W2K clients are within five minutes of the domain controller - W32
time service should be doing that, and using only the W2K dc as their dns server. You
may also want to run dcdiag /v on the domain controller checking it's health. ---
Steve

http://www.jsifaq.com/subg/tip3200/rh3207.htm