Stange Events in the Secruity Log

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have set Security Auditing on Win2k Server. I want to see Sucessful and Failed logon attemps, Privilage use and a couple other things. When I checked the log today, it showed many failed attemps to logon and the user name was Server$ (the name of my server followed by a $). There were also some failed attemps to logon by one of the clients. Same thing, Client$ was the user name. However, after a couple dozen failed attempts, Server$ was successfully added as a user and then given privilages. I am fairly certain this was after all users had logged off. Some of the clients are set to shutdown and restart, but all users are restricted from logon at the time this was occurring. Could this be coming from our internet connection? Several of the events showed a Client Address of 127.0.0.1. Could this be spoofed? We are not hosting any services on our LAN. I do not have any ports open on the router (that I know of). Is this just normal activity from the system?
 
If you could post one of the events it may help. These may be normal events
relating to some other problem on the network. The $ would indicate a computer
name. I sometimes see computer names where it says user name for whatever
reason - could be a computer where no one is logged on. Try to scan your public
ip address from an external computer or if that is not easily possible right
away go to one of the websites to do a self scan such as
http://scan.sygatetech.com/ . make sure that any computer with an external nic
to the internet has file and print sharing disabled on that nic. See the links
below that may be of help in determining the problem. There are codes in logon
failures that may pinpoint the problem. --- Steve

http://www.microsoft.com/technet/tr...curity/prodtech/win2000/secwin2k/09detect.asp
http://is-it-true.org/nt/atips/atips155.shtml

Rob said:
I have set Security Auditing on Win2k Server. I want to see Sucessful and
Click to expand...
Failed logon attemps, Privilage use and a couple other things. When I checked
the log today, it showed many failed attemps to logon and the user name was
Server$ (the name of my server followed by a $). There were also some failed
attemps to logon by one of the clients. Same thing, Client$ was the user name.
However, after a couple dozen failed attempts, Server$ was successfully added as
a user and then given privilages. I am fairly certain this was after all users
had logged off. Some of the clients are set to shutdown and restart, but all
users are restricted from logon at the time this was occurring. Could this be
coming from our internet connection? Several of the events showed a Client
Address of 127.0.0.1. Could this be spoofed? We are not hosting any services
on our LAN. I do not have any ports open on the router (that I know of). Is
this just normal activity from the system?
 
Back
Top