Mysterious login attempts to windows server

Posted by Jim Balo on Server Fault See other posts from Server Fault or by Jim Balo
Published on 2012-05-30T21:39:54Z Indexed on 2012/05/30 22:43 UTC
Read the original article Hit count: 470

I have a Windows 2008R2 server that is reporting failed login attempts from a number of workstations on our network. Some event log details:

Event ID 4625, Status: 0xc000006d, Sub Status: 0xc0000064
Security ID: NULL SID, Account Name: joedoe, Account Domain: Acme
Workstation Name: WINXP1, Source Network Address: 192.168.1.23, Source Port: 1904
Logon Process: NtLmSsp, Authentication Package: NTLM, Logon Type: 3 (network)

I believe this is coming from some netbios service or similar (maybe the file explorer), keeping an inventory of its network neighborhood and also trying to authenticate.

Is there a way to turn this off without having to turn off file sharing all together? In other words, clients authenticating against file servers that they use is of course no problem, but I want to eliminate clients trying to authenticate to servers that they are not using and have no business with. The above example is only one of thousands of log alerts for similar failed network authentications.

What can I do to clean this up / handle this?

Thanks.

© Server Fault or respective owner

Related posts about Windows

Related posts about security