Audit Failures

Archived from groups: microsoft.public.win2000.security (More info?)

Can anyone tell me if they have seen this type of audit and what does it
mean? We just started auditing, but I am not sure what this is telling me.
This case seems very ambiguious. The other day there were the same entries
but they had user accounts that I know are fine. One of the accounts is mine
and two others that access our server via a VPN connection.

Thanks,


Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/27/2005
Time: 9:09:35 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVER_X]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [SERVER_X]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: [SERVER_X]
4 answers Last reply
More about audit failures
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    This event occurs whenever the username & password combination fails.
    Generally, you will see these in an organization when someone makes a
    mistake typing their password. (though occasionally people misspell their
    account). Excessive numbers should be investigated.

    Since I don't know the details of your environment, it may be caused by
    other events. Logon type 3 is accessed system via network. There are also
    several KBs that may apply to your situation.

    Windows Server 2003 Events and Errors is our web site for more information.
    http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033

    For more information about that event see:
    http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0

    Michiko Short [MSFT}
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Please do not send e-mail directly to this alias. This alias is for
    newsgroup purposes only.

    "EMcGrath@HCA_NOSPAM_Vendor.com"
    <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
    news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
    > Can anyone tell me if they have seen this type of audit and what does it
    > mean? We just started auditing, but I am not sure what this is telling
    > me.
    > This case seems very ambiguious. The other day there were the same
    > entries
    > but they had user accounts that I know are fine. One of the accounts is
    > mine
    > and two others that access our server via a VPN connection.
    >
    > Thanks,
    >
    >
    > Event Type: Failure Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 529
    > Date: 3/27/2005
    > Time: 9:09:35 PM
    > User: NT AUTHORITY\SYSTEM
    > Computer: [SERVER_X]
    > Description:
    > Logon Failure:
    > Reason: Unknown user name or bad password
    > User Name: Administrator
    > Domain: [SERVER_X]
    > Logon Type: 3
    > Logon Process: NtLmSsp
    > Authentication Package: NTLM
    > Workstation Name: [SERVER_X]
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    There are many attempts, even from my account. I think is may have something
    to do with our VPN. This is happening with users who are working in
    workgroups in a remote office and who are tunneling into my network via a VPN
    connection.

    Does this spark any ideas?

    Thanks,
    Erin

    "Michiko Short [MSFT]" wrote:

    > This event occurs whenever the username & password combination fails.
    > Generally, you will see these in an organization when someone makes a
    > mistake typing their password. (though occasionally people misspell their
    > account). Excessive numbers should be investigated.
    >
    > Since I don't know the details of your environment, it may be caused by
    > other events. Logon type 3 is accessed system via network. There are also
    > several KBs that may apply to your situation.
    >
    > Windows Server 2003 Events and Errors is our web site for more information.
    > http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
    >
    > For more information about that event see:
    > http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
    >
    > Michiko Short [MSFT}
    > --
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    > Please do not send e-mail directly to this alias. This alias is for
    > newsgroup purposes only.
    >
    > "EMcGrath@HCA_NOSPAM_Vendor.com"
    > <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
    > news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
    > > Can anyone tell me if they have seen this type of audit and what does it
    > > mean? We just started auditing, but I am not sure what this is telling
    > > me.
    > > This case seems very ambiguious. The other day there were the same
    > > entries
    > > but they had user accounts that I know are fine. One of the accounts is
    > > mine
    > > and two others that access our server via a VPN connection.
    > >
    > > Thanks,
    > >
    > >
    > > Event Type: Failure Audit
    > > Event Source: Security
    > > Event Category: Logon/Logoff
    > > Event ID: 529
    > > Date: 3/27/2005
    > > Time: 9:09:35 PM
    > > User: NT AUTHORITY\SYSTEM
    > > Computer: [SERVER_X]
    > > Description:
    > > Logon Failure:
    > > Reason: Unknown user name or bad password
    > > User Name: Administrator
    > > Domain: [SERVER_X]
    > > Logon Type: 3
    > > Logon Process: NtLmSsp
    > > Authentication Package: NTLM
    > > Workstation Name: [SERVER_X]
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Sorry, not really a VPN expert.

    However, a couple of questions. You do recognize the Workstation Names
    correct? They should be systems on your remote office. So each of these
    events should have a valid combination of Username, Workstation Name, and
    Domain. It sounds like even though you have several logon failure events,
    you do have successful logons as well.

    Your VPN server and DCs are current on patches and service packs?

    As far as VPN goes, I would try to repost with a new subject asking for
    assistance with VPN configuration. That should attract the attention of the
    VPN experts. Good luck.

    --
    Michiko Short [MSFT]
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Please do not send e-mail directly to this alias. This alias is for
    newsgroup purposes only.

    "EMcGrath@HCA_NOSPAM_Vendor.com"
    <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
    news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
    > There are many attempts, even from my account. I think is may have
    > something
    > to do with our VPN. This is happening with users who are working in
    > workgroups in a remote office and who are tunneling into my network via a
    > VPN
    > connection.
    >
    > Does this spark any ideas?
    >
    > Thanks,
    > Erin
    >
    > "Michiko Short [MSFT]" wrote:
    >
    >> This event occurs whenever the username & password combination fails.
    >> Generally, you will see these in an organization when someone makes a
    >> mistake typing their password. (though occasionally people misspell their
    >> account). Excessive numbers should be investigated.
    >>
    >> Since I don't know the details of your environment, it may be caused by
    >> other events. Logon type 3 is accessed system via network. There are also
    >> several KBs that may apply to your situation.
    >>
    >> Windows Server 2003 Events and Errors is our web site for more
    >> information.
    >> http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
    >>
    >> For more information about that event see:
    >> http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
    >>
    >> Michiko Short [MSFT}
    >> --
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >> Please do not send e-mail directly to this alias. This alias is for
    >> newsgroup purposes only.
    >>
    >> "EMcGrath@HCA_NOSPAM_Vendor.com"
    >> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
    >> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
    >> > Can anyone tell me if they have seen this type of audit and what does
    >> > it
    >> > mean? We just started auditing, but I am not sure what this is telling
    >> > me.
    >> > This case seems very ambiguious. The other day there were the same
    >> > entries
    >> > but they had user accounts that I know are fine. One of the accounts
    >> > is
    >> > mine
    >> > and two others that access our server via a VPN connection.
    >> >
    >> > Thanks,
    >> >
    >> >
    >> > Event Type: Failure Audit
    >> > Event Source: Security
    >> > Event Category: Logon/Logoff
    >> > Event ID: 529
    >> > Date: 3/27/2005
    >> > Time: 9:09:35 PM
    >> > User: NT AUTHORITY\SYSTEM
    >> > Computer: [SERVER_X]
    >> > Description:
    >> > Logon Failure:
    >> > Reason: Unknown user name or bad password
    >> > User Name: Administrator
    >> > Domain: [SERVER_X]
    >> > Logon Type: 3
    >> > Logon Process: NtLmSsp
    >> > Authentication Package: NTLM
    >> > Workstation Name: [SERVER_X]
    >> >
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Are any users reporting being unable to access the network from the VPN??
    You may also find logon events for remote access users in the system log in
    the remote access server. --- Steve


    "EMcGrath@HCA_NOSPAM_Vendor.com"
    <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
    news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
    > There are many attempts, even from my account. I think is may have
    > something
    > to do with our VPN. This is happening with users who are working in
    > workgroups in a remote office and who are tunneling into my network via a
    > VPN
    > connection.
    >
    > Does this spark any ideas?
    >
    > Thanks,
    > Erin
    >
    > "Michiko Short [MSFT]" wrote:
    >
    >> This event occurs whenever the username & password combination fails.
    >> Generally, you will see these in an organization when someone makes a
    >> mistake typing their password. (though occasionally people misspell their
    >> account). Excessive numbers should be investigated.
    >>
    >> Since I don't know the details of your environment, it may be caused by
    >> other events. Logon type 3 is accessed system via network. There are also
    >> several KBs that may apply to your situation.
    >>
    >> Windows Server 2003 Events and Errors is our web site for more
    >> information.
    >> http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
    >>
    >> For more information about that event see:
    >> http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
    >>
    >> Michiko Short [MSFT}
    >> --
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >> Please do not send e-mail directly to this alias. This alias is for
    >> newsgroup purposes only.
    >>
    >> "EMcGrath@HCA_NOSPAM_Vendor.com"
    >> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
    >> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
    >> > Can anyone tell me if they have seen this type of audit and what does
    >> > it
    >> > mean? We just started auditing, but I am not sure what this is telling
    >> > me.
    >> > This case seems very ambiguious. The other day there were the same
    >> > entries
    >> > but they had user accounts that I know are fine. One of the accounts
    >> > is
    >> > mine
    >> > and two others that access our server via a VPN connection.
    >> >
    >> > Thanks,
    >> >
    >> >
    >> > Event Type: Failure Audit
    >> > Event Source: Security
    >> > Event Category: Logon/Logoff
    >> > Event ID: 529
    >> > Date: 3/27/2005
    >> > Time: 9:09:35 PM
    >> > User: NT AUTHORITY\SYSTEM
    >> > Computer: [SERVER_X]
    >> > Description:
    >> > Logon Failure:
    >> > Reason: Unknown user name or bad password
    >> > User Name: Administrator
    >> > Domain: [SERVER_X]
    >> > Logon Type: 3
    >> > Logon Process: NtLmSsp
    >> > Authentication Package: NTLM
    >> > Workstation Name: [SERVER_X]
    >> >
    >>
    >>
    >>
Ask a new question

Read More

Windows