I am a new network admin at our company. I come from a limited network admin background and a much more extensive programming background.
I am trying to get our network back up to speed, I have many tasks at hand.
As I have been going through the Event Logs trying to track down another issue, I noticed that in the Security Log, there are relatively many login failures (5 a day or so) - which would be fine if they were on our domain.
But they are for outside domains and users not on this domain.
Say our domain is ABC, I am seeing relatively many login attempts for domains XYZ, EFG, LMNOP, etc. They are just NTLM attempts, so it means that it isn't someone trying to login to our specific machines on our domain, but instead it looks like it is someone that has a computer setup for a different domain turning their machine on and trying to login to our network, but it isn't setup for it.
If someone else told me this, I would suspect people coming in with laptops that were setup for another company and then plugging in and not knowing what they were doing, trying to login.
But we are only 16 people in this office, and I can keep track of whatever every user is doing... nobody is brining in outside laptops.
The failure doesn't look very bad to me because it isn't changing much, it looks like the same sort of attempts pretty regularly - like the same person turning on their machine and getting the failures. Were it changing users and/or domains very rapidly, I would suspect an automated or more concerted effort to break in.
That said, the only other thing I could think of is that we do have a wireless access point, so I thought perhaps that was wide open and someone was accidentally getting onto our network that way. But I looked into it and it isn't wide open, although it doesn't have that high an encryption level on it.
But even with the low level encryption, that would still mean that someone is actively "breaking in" to the wireless connection, and then showing ineptitude at logging in... which doesn't seem right to me.
So I'm just curious if anyone can tell me where/what these logins are. The domains don't obviously point to any companies near us - and one - "TELECOM" is generic enough that it could be a number of things.
Any ideas?
I am trying to get our network back up to speed, I have many tasks at hand.
As I have been going through the Event Logs trying to track down another issue, I noticed that in the Security Log, there are relatively many login failures (5 a day or so) - which would be fine if they were on our domain.
But they are for outside domains and users not on this domain.
Say our domain is ABC, I am seeing relatively many login attempts for domains XYZ, EFG, LMNOP, etc. They are just NTLM attempts, so it means that it isn't someone trying to login to our specific machines on our domain, but instead it looks like it is someone that has a computer setup for a different domain turning their machine on and trying to login to our network, but it isn't setup for it.
If someone else told me this, I would suspect people coming in with laptops that were setup for another company and then plugging in and not knowing what they were doing, trying to login.
But we are only 16 people in this office, and I can keep track of whatever every user is doing... nobody is brining in outside laptops.
The failure doesn't look very bad to me because it isn't changing much, it looks like the same sort of attempts pretty regularly - like the same person turning on their machine and getting the failures. Were it changing users and/or domains very rapidly, I would suspect an automated or more concerted effort to break in.
That said, the only other thing I could think of is that we do have a wireless access point, so I thought perhaps that was wide open and someone was accidentally getting onto our network that way. But I looked into it and it isn't wide open, although it doesn't have that high an encryption level on it.
But even with the low level encryption, that would still mean that someone is actively "breaking in" to the wireless connection, and then showing ineptitude at logging in... which doesn't seem right to me.
So I'm just curious if anyone can tell me where/what these logins are. The domains don't obviously point to any companies near us - and one - "TELECOM" is generic enough that it could be a number of things.
Any ideas?