NT Security Question

[Joe Scuderi]

Hello NT Security Gurus,
Anyone know what actually causes failed remote logons in the security log
of the Event Viewer on my NT4.0 server? What could these people be doing to
generate the message below? If this is a remote logon, what program do they
use to attempt a log on? Did they just specify my domain on their Windows
logon screen? Are they trying to map a drive, telnet? Is this a hacker or
something else?

Thanks for clues,

Joe

Logon Failure:
Reason: Unknown user name or bad password
User Name: SZBLAH
Domain: SOMEDOMAIN
Logon Type: 3
the method of logon. (i.e. 2 for normal logon, 3 for remote)

Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BLORT

[Adam Getchell]

This seems to be just what it says it is: either you don't have a user
named SZBLAH on your domain in your SAM database or they entered an
incorrect password.

Anytime they connect to a resource on your domain pass-through
authentication is invoked. That is, the credentials issued by your local
NT security manager is passed via impersonation to your domain
controller. If the domain controller okays the permissions on the
impersonated account, they get access. If not, access denied, and you
get an audit entry for failed logon.

So, in short, connecting to a drive would cause the message below.