|
Posted by Roger Abell [MVP] on August 4, 2007, 4:06 am
Please log in for more thread options
>I have set up WEB server (Windows 2003 SP2 with IIS) to host a site. While
> looking through the security events audit. I noticed a large number of
> FAILURE AUDITS with the MICROSOFT_AUTHENTICATION_PACKAGE_V1 and KRBTGT\
> service. These audits have various logon user names like PETER, APPLE,
> ROOT,
> LISA, MASTER, DOG and other random names. It has the sourceworkstation =
> the
> computer name of my server, and it has an error code of 0xC0000064. I am
> concerned. This happens for about a minute and stops during certain days.
> What is this? Is it an inside or outside hijack. What can this do? Can it
> control the computer.
>
Of course, this means you have exposed authentication interfaces
to the network(s) of origin. That you apparently see Kerberos use
attempts means these originate inside (or at least appear to be of
the same domain) or these are intended probe from your outside.
That you have only fail events means you have picked up one of
the numerous pests inhabiting the net, that you suffer their additive
drag against performance, that you are overexposed and/or have ill
machines, and that you are at risk to unpatched doors if flaws are
published/known in those authentication interfaces or the supporting
code to use them.
People either learn a fair stretch and fine tune accesses or take a
simple approach and only firewall.
Roger
| 
XML Sitemap