Failed logon attempts to Local user accounts

Brian

Distinguished
Sep 9, 2003
1,371
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

This started happening recently. My security log is showing repeated failed logon attempts for non-standard Local (not AD) user accounts (i.e. local user accounts I created). These comes in batches that happen so fast (about 10 seconds for five logon attempts & lockout) that I am certain it is robotic.

These are all failed logons to VALID Local user accounts and are NOT accompanied by attempts to logon to non-existent account as I might expect with a robot that is guessing common user names; the remote user is somehow gaining access to the Local user names.

So far, the passwords have kept the bad guys out, but (setting aside for the moment the issue of which port is being used) my big question is how is it possible for a remote user to read the Local user names?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

You can use many third party utilities to enumerate Windows accounts in default
configuration. Two come to mind - dumpacl and Supercan4 using the Windows enumeration
scan. Both of these are free and widely available.

If your firewall is not configured correctly, these accounts can be enumerated from
the internet. Make sure your firewall blocks file and print sharing ports. I would do
an external scan against your network to verify correct configuration. In a pinch you
can use one of the free self scan sites such as http://scan.sygate.com/ . The
computer where these logon attempts came from should show in the logon failures. If
the name is a computer on your network, you want to talk to the user and examine the
computer for worm/trojan/backdoor. A personal firewall installed on the compromised
computer may flag the rouge process when it tries to access your computer by popping
up a firewall alert asking for permission to access the network . If it is not a
known computer, the attempt came from the internet, other untrusted network
[wireless??] or from an unauthorized computer on your network. --- Steve

http://www.somarsoft.com/
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm

"Brian" <Brian@discussions.microsoft.com> wrote in message
news:7C50810E-7EF0-4D2F-BF1C-A26A747255DA@microsoft.com...
> This started happening recently. My security log is showing repeated failed logon
attempts for non-standard Local (not AD) user accounts (i.e. local user accounts I
created). These comes in batches that happen so fast (about 10 seconds for five logon
attempts & lockout) that I am certain it is robotic.
>
> These are all failed logons to VALID Local user accounts and are NOT accompanied by
attempts to logon to non-existent account as I might expect with a robot that is
guessing common user names; the remote user is somehow gaining access to the Local
user names.
>
> So far, the passwords have kept the bad guys out, but (setting aside for the moment
the issue of which port is being used) my big question is how is it possible for a
remote user to read the Local user names?