Failed logon attempts to Local user accounts

Archived from groups: microsoft.public.win2000.security (More info?)

This started happening recently. My security log is showing repeated failed logon attempts for non-standard Local (not AD) user accounts (i.e. local user accounts I created). These comes in batches that happen so fast (about 10 seconds for five logon attempts & lockout) that I am certain it is robotic.

These are all failed logons to VALID Local user accounts and are NOT accompanied by attempts to logon to non-existent account as I might expect with a robot that is guessing common user names; the remote user is somehow gaining access to the Local user names.

So far, the passwords have kept the bad guys out, but (setting aside for the moment the issue of which port is being used) my big question is how is it possible for a remote user to read the Local user names?
1 answer Last reply
More about failed logon attempts local user accounts
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You can use many third party utilities to enumerate Windows accounts in default
    configuration. Two come to mind - dumpacl and Supercan4 using the Windows enumeration
    scan. Both of these are free and widely available.

    If your firewall is not configured correctly, these accounts can be enumerated from
    the internet. Make sure your firewall blocks file and print sharing ports. I would do
    an external scan against your network to verify correct configuration. In a pinch you
    can use one of the free self scan sites such as http://scan.sygate.com/ . The
    computer where these logon attempts came from should show in the logon failures. If
    the name is a computer on your network, you want to talk to the user and examine the
    computer for worm/trojan/backdoor. A personal firewall installed on the compromised
    computer may flag the rouge process when it tries to access your computer by popping
    up a firewall alert asking for permission to access the network . If it is not a
    known computer, the attempt came from the internet, other untrusted network
    [wireless??] or from an unauthorized computer on your network. --- Steve

    http://www.somarsoft.com/
    http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm

    "Brian" <Brian@discussions.microsoft.com> wrote in message
    news:7C50810E-7EF0-4D2F-BF1C-A26A747255DA@microsoft.com...
    > This started happening recently. My security log is showing repeated failed logon
    attempts for non-standard Local (not AD) user accounts (i.e. local user accounts I
    created). These comes in batches that happen so fast (about 10 seconds for five logon
    attempts & lockout) that I am certain it is robotic.
    >
    > These are all failed logons to VALID Local user accounts and are NOT accompanied by
    attempts to logon to non-existent account as I might expect with a robot that is
    guessing common user names; the remote user is somehow gaining access to the Local
    user names.
    >
    > So far, the passwords have kept the bad guys out, but (setting aside for the moment
    the issue of which port is being used) my big question is how is it possible for a
    remote user to read the Local user names?
Ask a new question

Read More

Security Microsoft User Accounts Windows