We have been getting frequent logon failures in our Security Event Log. Administrator is the user name but other names have also been used (including mine), the domain name changes also, but its not ours. Logon type is 3 (have no idea what that is) Several attempts have been made within the last 5 days. Is someone trying to hack in and how do I track this activity? This is an NT4 sp6, Exchange server 5.5. Any help would be appreciated. Thanks in advance!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to identify source of logon failure in security event log?
- Thread starter ITJam
- Start date
Aslamvs
Technical User
- Jul 8, 2002
- 472
First of all Logon type is 3 is
: Network logon - network mapping (net use/net view)
Check if some one is using your or administrators id to map drives on the server and may be putting the wrong passwords.You can verify it in checking event viewer easily.
for info on Security Event Descriptions check this site
Security Event Descriptions
Aslam
: Network logon - network mapping (net use/net view)
Check if some one is using your or administrators id to map drives on the server and may be putting the wrong passwords.You can verify it in checking event viewer easily.
for info on Security Event Descriptions check this site
Security Event Descriptions
Aslam
You can also capture network traffic from a local area network using Microsoft's Network Monitor. It's a service that you can add. This will give you the IP address of the "intruder" (although I don't know how much good that'll do ya). The best way to prevent this is to install a firewall.
MJ
MJ
- Status
Similar threads
- Locked
- Question
