Question : Logon failures 529 672 & 680

Hi experts

I have suddenly started having problems with security events and I can't tie the start of them down to any specific update or the like. I suppose this question is best broken down into two parts.

Yesterday there were 47 Failure Audits recorded between 16:00:05 & 16:11:42 involving attempted logins by the username Administrator, generating event ID's 529, 672 & 680. The Administrator account has been renamed from day 1 and here is an example of one type of log entry:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      672
Date:            07/06/2007
Time:            16:00:05
User:            NT AUTHORITY\SYSTEM
Computer:      AML-SERVER
Description:
Authentication Ticket Request:
     User Name:            Administrator
     Supplied Realm Name:      OURDOMAIN.LOCAL
     User ID:                  -
     Service Name:            krbtgt/OURDOMAIN.LOCAL
     Service ID:            -
     Ticket Options:            0x40810010
     Result Code:            0x6
     Ticket Encryption Type:      -
     Pre-Authentication Type:      -
     Client Address:            127.0.0.1
     Certificate Issuer Name:
     Certificate Serial Number:
     Certificate Thumbprint:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
** That wasn't any help - it said that "There is no Failure Audit form of this audit event record" Hmmm.

I cannot see anything in application or system logs which could have caused this. Is there any way in which I can find out which program / process has used this login, please?
Another option is, could this be something more sinister? No infections have been found on the daily full virus scans across the network and we have a hardware firewall. The firewall did report that it had repelled several Smurf attacks exactly an hour earlier, purporting to originate from an address belonging to African Network Information Center and there is no evidence I have found to suggest that the firewall was breached.

In addition, I have started to get occasional event ID's 673, within the DHCP range reserved for vpn clients & also some LAN clients. The clocks seem to be in sync with the server and a success audit is registered at the next event. No failure event is recorded on the client, only the success.

Any ideas, please?

Answer : Logon failures 529 672 & 680

Please review my response in this question which should cover this issue for you: http:Q_22471975.html

Jeff
TechSoEasy

Random Solutions

Need to connect two Linksys WAP54G together wirelessly

We can receive but not send email, ISP blames it on microsoft exchange server

Windows 98, 90 mhz pentium, and network card

using a wireless router with an existing network

Sendmail - Several local domains delivering to 1 local domain - alias vs. virtusertable

pcAnywhere login prompting for domain

How can I build a secure bind server that just forwards

IIS SSL certificate generation for servers in a cluster

SPF Record placement

Prioritize VOIP Traffic