Mysterious login attempts to windows server
Posted
by
Jim Balo
on Server Fault
See other posts from Server Fault
or by Jim Balo
Published on 2012-05-30T21:39:54Z
Indexed on
2012/05/30
22:43 UTC
Read the original article
Hit count: 470
I have a Windows 2008R2 server that is reporting failed login attempts from a number of workstations on our network. Some event log details:
Event ID 4625, Status: 0xc000006d, Sub Status: 0xc0000064
Security ID: NULL SID, Account Name: joedoe, Account Domain: Acme
Workstation Name: WINXP1, Source Network Address: 192.168.1.23, Source Port: 1904
Logon Process: NtLmSsp, Authentication Package: NTLM, Logon Type: 3 (network)
I believe this is coming from some netbios service or similar (maybe the file explorer), keeping an inventory of its network neighborhood and also trying to authenticate.
Is there a way to turn this off without having to turn off file sharing all together? In other words, clients authenticating against file servers that they use is of course no problem, but I want to eliminate clients trying to authenticate to servers that they are not using and have no business with. The above example is only one of thousands of log alerts for similar failed network authentications.
What can I do to clean this up / handle this?
Thanks.
© Server Fault or respective owner