Question on Attempted downgrade attack

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We're receiving Event log messages when a disabled account tries to access a
server share as shown below:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/3/2005
Time: 7:13:20 AM
User: N/A
Computer: <<system name>>
Description:
The Security System detected an attempted downgrade attack for server
cifs/<<server name>>. The failure code from authentication protocol Kerberos
was "The user's account has expired.
(0xc0000193)".

While I understand that the root issue is the disabled account, I'm curious
about the message regarding "Attempted downgrade attacks". Does anyone have
any insight on what these downgrade attacks are referencing? Thanks.
 
The link below from http://www.eventid.net has some good info and is a place
to always check for Event ID's along with searching Microsoft and Google web
and news.

http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1

I don't see an explanation for attempted downgrade attack for, though I
don't believe it near as ominous as it sounds - possibly just alerting to
the fact that an expired account is trying to gain access. The users at the
link above mostly mention issues with dns and incorrect time as being the
main causes. --- Steve
 
I wouldn't trust that this is really an attack. When I hear the term
"downgrade attack," it makes me suspect that the client was unable for some
reason to successfully negotiate Windows networking authentication to the
server using the server's required authentication protocol, such as
Kerberos, and so the client was configured to try to request / negotiate an
older, less secure Windows networking authentication protocol, such as
NTLMv2 or NTLM. Perhaps when the account is disabled, the client keeps
retrying the authentication using different protocols, not realizing or
caring that the problem is the account and not the protocol negotiation? At
any rate, if this was the case, then changing the permitted authentication
protocols on the client might get rid of the error messages from that
client.
 
Back
Top