Microsoft
Software
Hardware
Network
Question : Logon failures 529 672 & 680
Hi experts
I have suddenly started having problems with security events and I can't tie the start of them down to any specific update or the like. I suppose this question is best broken down into two parts.
Yesterday there were 47 Failure Audits recorded between 16:00:05 & 16:11:42 involving attempted logins by the username Administrator, generating event ID's 529, 672 & 680. The Administrator account has been renamed from day 1 and here is an example of one type of log entry:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 07/06/2007
Time: 16:00:05
User: NT AUTHORITY\SYSTEM
Computer: AML-SERVER
Description:
Authentication Ticket Request:
User Name: Administrator
Supplied Realm Name: OURDOMAIN.LOCAL
User ID: -
Service Name: krbtgt/OURDOMAIN.LOCAL
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 127.0.0.1
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
For more information, see Help and Support Center at
http://go.microsoft.com/fw
link/event
s.asp
.
** That wasn't any help - it said that "There is no Failure Audit form of this audit event record" Hmmm.
I cannot see anything in application or system logs which could have caused this. Is there any way in which I can find out which program / process has used this login, please?
Another option is, could this be something more sinister? No infections have been found on the daily full virus scans across the network and we have a hardware firewall. The firewall did report that it had repelled several Smurf attacks exactly an hour earlier, purporting to originate from an address belonging to African Network Information Center and there is no evidence I have found to suggest that the firewall was breached.
In addition, I have started to get occasional event ID's 673, within the DHCP range reserved for vpn clients & also some LAN clients. The clocks seem to be in sync with the server and a success audit is registered at the next event. No failure event is recorded on the client, only the success.
Any ideas, please?
Answer : Logon failures 529 672 & 680
Please review my response in this question which should cover this issue for you:
http:Q_22471975.html
Jeff
TechSoEasy
Random Solutions
SMS web server need help!
Can Firefox use an IE configuration script?
How do i Append a Item ("Body") to Notes Document ?
what is Ip phones licence are , why I´ll need them ?
Making Local Disk Drives Available in Remove Desktop Connection Session
Looking for general information about broadband in other countries around the world, reliability, speed, cost, etc for a video streaming project.
Unable to renew IP address
WebSphere SSL enabled LDAP with global security does this mean browser to Web Server or Web Server to Application Server communication has to be with HTTPS also?
Weird Network Problem
OWA down after SSL certificate renewal