From: Sam Shumway [sshumway@AXENT.COM]
Sent: Thursday, November 18, 1999 11:09 AM
To: WIN2KSECADVICE@LISTSERV.NTSECURITY.NET
Subject: Re: Eventviewer logs of failed log-on's

My research indicates if the user process is:
User32 - then the logon attempt was to the workstations desktop (local
logon)
Advapi - then the logon attempt was via IIS using clear text authentication
NtLmSsp - then the logon attempt was via IIS using NT challange and response
KSecDD - then the logon attempt was via the network to a resource on the
workstation (attaching to a share)

Because the logon attempt was via IIS and it was clear text I'd guess the
domain info wasn't available. The attempt may have come from a non-Windows
box.

Sam


> -----Original Message-----
> From: Seth Georgion [SMTP:SysAdmin@SASSPRODUCTIONS.COM]
> Sent: Wednesday, November 17, 1999 1:16 PM
> To:   WIN2KSECADVICE@LISTSERV.NTSECURITY.NET
> Subject:      Eventviewer logs of failed log-on's
> 
> Okay, after going through an event log one day and finding 400 different
> failed log-on attempts to one persons account I decided to do some
> investigation. The log that came was this,
> 
> Date: 11/5/99 Event ID: 529
> Time: 6:49:01PM Source: Security
> User: NT Authority\SYSTEM Type: Failure Audit
> Computer: INTERGATE Category: Logon/Logoff
> 
> __________________________________________________________
> Logon Failure
>  Reason: Unknown user name or bad
> password
>  User Name: dlloyd
>  Domain: 
>  Logon Type: 3
>  Logon Process:advapi
>  Authentication Package
> MICROSOFT_AUTHENTICATION-PACKAGE-V1_0
>  Workstation Name: INTERGATE
> 
> 
> First of all INTERGATE is the name of the PDC involved and all log-on
> attempts came from outside and their source was confirmed with router
> logs. Here's the question, there is a whole lot of confusion as to why the
> Domain field is blank (I didn't delete it) and also as which name should
> be included in the workstation name. The other thing is what's the diff
> between advapi as a logon process and KSecDD. For refernce the MS KB
> article that tries to explain some of this is 150530 and it seems to
> indicate that my own domain should be in that field. And especialy not the
> domain of the attackers workstation (if it's seperate of mine). In
> addition Microsoft stated that the workstation name should be the name of
> the computer that the person was trying to break into and not their own
> computer. That kind of makes sense to me buta while back someone called
> us alleging that our computers had been broken into and used to launch
> attacks against their computers. They then gave us an event log for proof
> that contained our computers info in the workstation and Domain name. 
> 
> Anybody know if the log on your PDC is supposed to show the attacked
> computers workstation and domain or the attackers workstation and domain?
> And what's the differences with the logon processes
