MpsLand Posted June 4, 2012 Posted June 4, 2012 hello all, how are you? there are many failed log on in my windows server 2008 r2 event log. here is one example from my event viewer: --start quote-- An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: WORKGROUP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: --random name-- Source Network Address: --random ip -- Source Port: 13960 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 --end quote-- these attempts are so many and periodically. sometimes they up to 30 attempts in only 1 minute, and it happens almost 24 hours nonstop my question is: what is that and how to make it stop? please kindly help me, thank you very much regards, sebastian Quote
ICTCity Posted June 4, 2012 Posted June 4, 2012 Also if you don't use / have IIS, check this KB: http://support.microsoft.com/kb/896861/en-us Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
MpsLand Posted June 4, 2012 Author Posted June 4, 2012 hi, thanks for your help. i have read the kb and it is because "loopback check security feature that is designed to help prevent reflection attacks on your computer", right? so, it is not harmful and just leave it alone or should i follow the kb and "Specify host names for NTLM authentication" or "Disable the loopback check" in the registry? again thank you very much for your kind help Quote
ICTCity Posted June 4, 2012 Posted June 4, 2012 Let's say that I don't have an answer. This is my though: Don't disable the loopback check, actually it's not causing problem... right? What you could do is to specify NTLM host names, which is easy and safe. I really don't know which is the best solution. I had just one time this problem and I resolved with NTLM host names but I didn't make any test to understand which scenario is better. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
MpsLand Posted June 5, 2012 Author Posted June 5, 2012 ok, thank you very much. i would now try to specify NTLM host names. and see the result. again, thank you :) Quote
Recommended Posts