Multiple Log In Attemps on SBiz DC

Discussion in 'Windows Small Business Server' started by Jason V, Dec 3, 2007.

  1. Jason V

    Jason V Guest

    Hi there
    Occasionally I do some administration on a clients Small Biz Server 2003.
    I had been asked to take a look at the server as my account (which I have
    not used in almost a year) is making multiple account log on attempts
    Below is a sample of what is occurring every 15 mintues or so.

    Successful Network Logon:
    User Name: jason.surname
    Domain: CLIENT DOMAIN
    Logon ID: (0x0,0x794850C)
    Logon Type: 3
    Logon Process: Authz
    Authentication Package: Kerberos
    Workstation Name: SERVER
    Logon GUID: -
    Caller User Name: SERVER$
    Caller Domain: CLIENT DOMAIN
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 936
    Transited Services: -
    Source Network Address: -
    Source Port: -

    I do not run any backups with my username and password and do not have a
    workstation that is running Outlook and making constant connections to the
    Exchange server.

    I have disabled my account and the logons have stopped - now there are
    multiple account failures (occuring around every 15 minutes or so)
    Logon Failure:
    Reason: Account currently disabled
    User Name:
    Domain:
    Logon Type: 3
    Logon Process: Authz
    Authentication Package: Kerberos
    Workstation Name: SERVER
    Caller User Name: SERVER$
    Caller Domain: CLIENT DOMAIN
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 960
    Transited Services: -
    Source Network Address: -
    Source Port:

    There doesnt appear to be anything significant running on the machine and we
    are unsure how long this has been occuring for as the security logs only go
    back to the 30th of November.

    Any suggestions of how I would track down what or who is making these log on
    attempts to the server?

    Regards
    Jason
     
    Jason V, Dec 3, 2007
    #1
    1. Advertisements

  2. Hi Jason,

    Thanks for posting in our newsgroup.

    From your description, I know that you did remote administration with your
    account before. Now there are events shows you logging on server every 15
    minutes. If that's not right, please don't hesitate to let me know.

    Please let me know the following information to make the situation more
    clearly:

    1. How did you made remote administration, with RWW or RDP?
    2. Is your account in the Administrators group?

    Based on my research, please take the following step to narrow down this
    issue:

    Step 1: Please double confirm you didn't create Scheduled Tasks which logs
    on with your credential.

    1. Open Control Panel and double click Scheduled Task.
    2. Double click each Scheduled Task, on the Task tab, make sure it doesn't
    run as your account.

    Step 2: Please clear the password cache on SBS server and check again.

    1. Click Start\Control Panel\Stored User Name and Password.
    2. If you see your credential listed here, please remove it and try again.

    Step 3: The problem occurs when some process or application access the
    system with your credential. Please make a clear boot to make sure the
    issue was not caused by third party software.

    1. Click Start->Run...->type msconfig and press Enter.
    2. Click Services tab and select Hide All Microsoft Services and Disable
    All third party Services.
    3. Click Startup tab and Disable All startup items.
    4. Click OK and choose Restart.
    5. After reboot, check whether the problem still occurs.
    6. If there are no more problems, please use the above steps to enable
    services and startup items one by one in order to figure out the root cause
    of this issue.

    Step 4: Please enable your account and then reset password, then monitor if
    the issue will reappear.

    To Reset password, please take the following steps:

    1. Open Server Management and click Users.
    2. Right click the user account and select Reset Password.
    3. Input the new password.

    In addition, please implement Strong password policies in your network to
    prevent the hackers access your system. To do this:

    Open Server Management console, navigate to Users snap-in. In the right
    panel, click ''Configure Password Policies''. Enable the password policies.

    1. Password must meet minimum length requirements.
    2. Password must meet complexity requirements.
    3. Password must be changed regularly.
    4. Configure password policies: Immediately.

    If the problem persists, please help me collect the following information
    for further research:

    1. Please export the Security Event log on SBS server and email it to me.

    To export the Security event log:

    1) Click Start -> Run, type EVENTVWR.MSC and click OK.
    2) Right click the Security Event, select Save Log File as, save it to .evt
    file.
    3) Email me the file

    2. Let me know the problematic user account.

    Please send the information to with subject:
    41073560-Multiple Log In Attemps on SBiz DC.

    I am looking forward to hear from you.

    If you need further assistance, please don't hesitate to let me know.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <Thread-Topic: Multiple Log In Attemps on SBiz DC
    <thread-index: Acg1oNFyYAHrH/bVQ96VLnzw5BKZnQ==
    <X-WBNR-Posting-Host: 207.46.192.207
    <From: =?Utf-8?B?SmFzb24gVg==?= <Jason >
    <Subject: Multiple Log In Attemps on SBiz DC
    <Date: Mon, 3 Dec 2007 03:37:00 -0800
    <Lines: 55
    <Message-ID: <>
    <MIME-Version: 1.0
    <Content-Type: text/plain;
    < charset="Utf-8"
    <Content-Transfer-Encoding: 7bit
    <X-Newsreader: Microsoft CDO for Windows 2000
    <Content-Class: urn:content-classes:message
    <Importance: normal
    <Priority: normal
    <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
    <Newsgroups: microsoft.public.windows.server.sbs
    <Path: TK2MSFTNGHUB02.phx.gbl
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:79616
    <NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <
    <Hi there
    <Occasionally I do some administration on a clients Small Biz Server 2003.
    <I had been asked to take a look at the server as my account (which I have
    <not used in almost a year) is making multiple account log on attempts
    <Below is a sample of what is occurring every 15 mintues or so.
    <
    <Successful Network Logon:
    < User Name: jason.surname
    < Domain: CLIENT DOMAIN
    < Logon ID: (0x0,0x794850C)
    < Logon Type: 3
    < Logon Process: Authz
    < Authentication Package: Kerberos
    < Workstation Name: SERVER
    < Logon GUID: -
    < Caller User Name: SERVER$
    < Caller Domain: CLIENT DOMAIN
    < Caller Logon ID: (0x0,0x3E7)
    < Caller Process ID: 936
    < Transited Services: -
    < Source Network Address: -
    < Source Port: -
    <
    <I do not run any backups with my username and password and do not have a
    <workstation that is running Outlook and making constant connections to the
    <Exchange server.
    <
    <I have disabled my account and the logons have stopped - now there are
    <multiple account failures (occuring around every 15 minutes or so)
    <Logon Failure:
    < Reason: Account currently disabled
    < User Name:
    < Domain:
    < Logon Type: 3
    < Logon Process: Authz
    < Authentication Package: Kerberos
    < Workstation Name: SERVER
    < Caller User Name: SERVER$
    < Caller Domain: CLIENT DOMAIN
    < Caller Logon ID: (0x0,0x3E7)
    < Caller Process ID: 960
    < Transited Services: -
    < Source Network Address: -
    < Source Port:
    <
    <There doesnt appear to be anything significant running on the machine and
    we
    <are unsure how long this has been occuring for as the security logs only
    go
    <back to the 30th of November.
    <
    <Any suggestions of how I would track down what or who is making these log
    on
    <attempts to the server?
    <
    <Regards
    <Jason
    <
    <
     
    Robert Li [MSFT], Dec 4, 2007
    #2
    1. Advertisements

  3. Jason V

    Jason V Guest

    Hi Robert
    I have sent the security logs to the email account you've specified along
    with a brief message letting you know where I've got up to with your
    suggestions.

    Thank you very much for your help.
    Regards
    Jason
     
    Jason V, Dec 5, 2007
    #3
  4. From customer's e-mail:

    Hi Robert
    Thanks for your reply.
    Please find attached the security log files -the problematic account is
    Jason.Vassos

    In answer to your questions:
    1.) Remote admin was RDP
    2.) Yes my account belongs to the domain admins account
    3.) There are no stored user passwords on the server -have checked nothing
    to clear
    4.) I have checked all of the services and none of them attempt to run
    under my old account. Please let me know if you require me to follow this
    step through fully -rung msconfig and then disable the micrsoft services -
    I didnt do this as I was unsure if I could remote desktop back in (my only
    way to do admin on the server at the moment - if a console session is
    required i can try and make time to go onsite later this week.)
    5.) I have checked and the scheduled tasks do not run under my disabled
    account

    I have suggested that the use https OWA instead of RDPing into the server
    to start an Outlook session.
    Also have suggested implementing a VPN and disabling 3389 on the router as
    it just invites someone to have a crack.

    Thanks again for your - really appreciate it.
    Regards
    Jason Vassos
     
    Robert Li [MSFT], Dec 6, 2007
    #4
  5. Hi Jason,

    Thanks for your reply.

    Based on my research, this issue may be caused by third party software.
    Please try a clean boot to have check. Clean boot will not affect you
    logging on via RDP, it only disable third party services.

    Note: When run the msconfig command, please click Services tab and select
    Hide All Microsoft Services and Disable All third party Services, not
    disabling All Microsoft Services.

    I researched your logs and found the following events:

    Event ID: 538
    Date: 12/5/2007
    Time: 4:59:13 PM
    Description:
    User Logoff:
    User Name: Norseld.Jason
    Domain: NORSELD
    Logon ID: (0x0,0x8B6D671)
    Logon Type: 10


    Event ID: 682
    Date: 12/5/2007
    Time: 4:59:02 PM
    Description:
    Session reconnected to winstation:
    User Name: norseld.jason
    Domain: NORSELD
    Logon ID: (0x0,0x8AD8D59)
    Session Name: RDP-Tcp#12
    Client Name: ELITE
    Client Address: x.x.x.x

    Event ID: 682
    Date: 12/5/2007
    Time: 4:59:02 PM

    Session reconnected to winstation:
    User Name: norseld.jason
    Domain: NORSELD
    Logon ID: (0x0,0x8AD8D59)
    Session Name: RDP-Tcp#12
    Client Name: ELITE
    Client Address: x.x.x.x

    All the user names are Norseld.Jason, not the Jason.surname as you said in
    the post. Logon Type is 10, this shows a user logged on to this computer
    remotely using Terminal Services or a Remote Desktop connection.

    Please let me know if you RDP to server with username: Norseld.Jason. If
    not, please reset the password for Norseld.Jason and try again. Also check
    the if x.x.x.x if IP address of your workstation.

    Based on my experience, the PRC over HTTP for Outlook and RDP feature will
    not cause potential network risk and is not the root cause of this issue.
    So it's not recommended to disable them.

    I am looking forward to hear from you.

    If you need further assistance, please don't hesitate to let me know.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <X-Tomcat-ID: 24598932
    <References: <>
    <>
    <>
    <MIME-Version: 1.0
    <Content-Type: text/plain
    <Content-Transfer-Encoding: 7bit
    <From: (Robert Li [MSFT])
    <Organization: Microsoft
    <Date: Thu, 06 Dec 2007 02:36:47 GMT
    <Subject: RE: Multiple Log In Attemps on SBiz DC
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <Message-ID: <>
    <Newsgroups: microsoft.public.windows.server.sbs
    <Lines: 30
    <Path: TK2MSFTNGHUB02.phx.gbl
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80334
    <NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
    <
    <From customer's e-mail:
    <
    <Hi Robert
    <Thanks for your reply.
    <Please find attached the security log files -the problematic account is
    <Jason.Vassos
    <
    <In answer to your questions:
    <1.) Remote admin was RDP
    <2.) Yes my account belongs to the domain admins account
    <3.) There are no stored user passwords on the server -have checked nothing
    <to clear
    <4.) I have checked all of the services and none of them attempt to run
    <under my old account. Please let me know if you require me to follow this
    <step through fully -rung msconfig and then disable the micrsoft services -
    <I didnt do this as I was unsure if I could remote desktop back in (my only
    <way to do admin on the server at the moment - if a console session is
    <required i can try and make time to go onsite later this week.)
    <5.) I have checked and the scheduled tasks do not run under my disabled
    <account
    <
    <I have suggested that the use https OWA instead of RDPing into the server
    <to start an Outlook session.
    <Also have suggested implementing a VPN and disabling 3389 on the router as
    <it just invites someone to have a crack.
    <
    <Thanks again for your - really appreciate it.
    <Regards
    <Jason Vassos
    <
    <
     
    Robert Li [MSFT], Dec 6, 2007
    #5
  6. Hi Jason,

    Thanks for your reply.

    After your made clean boot, the event didn't appear again. It seems the
    problem is caused by third party software. You can arrange time to disable
    Trend Micro software to see if the problem will disappear. It so, we can
    narrow down Trend Micro is the root cause. On how to remove your older
    account information in Trend Micro, since that's third party product,
    please contact the manufacture for more help. Thanks for your understanding.

    If you need further assistance, please don't hesitate to let me know.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <X-Tomcat-ID: 33757588
    <References: <>
    <>
    <>
    <>
    <MIME-Version: 1.0
    <Content-Type: text/plain
    <Content-Transfer-Encoding: 7bit
    <From: (Robert Li [MSFT])
    <Organization: Microsoft
    <Date: Thu, 06 Dec 2007 03:34:19 GMT
    <Subject: RE: Multiple Log In Attemps on SBiz DC
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <Message-ID: <>
    <Newsgroups: microsoft.public.windows.server.sbs
    <Lines: 135
    <Path: TK2MSFTNGHUB02.phx.gbl
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80338
    <NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
    <
    <Hi Jason,
    <
    <Thanks for your reply.
    <
    <Based on my research, this issue may be caused by third party software.
    <Please try a clean boot to have check. Clean boot will not affect you
    <logging on via RDP, it only disable third party services.
    <
    <Note: When run the msconfig command, please click Services tab and select
    <Hide All Microsoft Services and Disable All third party Services, not
    <disabling All Microsoft Services.
    <
    <I researched your logs and found the following events:
    <
    <Event ID: 538
    <Date: 12/5/2007
    <Time: 4:59:13 PM
    <Description:
    <User Logoff:
    < User Name: Norseld.Jason
    < Domain: NORSELD
    < Logon ID: (0x0,0x8B6D671)
    < Logon Type: 10
    <
    <
    <Event ID: 682
    <Date: 12/5/2007
    <Time: 4:59:02 PM
    <Description:
    <Session reconnected to winstation:
    < User Name: norseld.jason
    < Domain: NORSELD
    < Logon ID: (0x0,0x8AD8D59)
    < Session Name: RDP-Tcp#12
    < Client Name: ELITE
    < Client Address: x.x.x.x
    <
    <Event ID: 682
    <Date: 12/5/2007
    <Time: 4:59:02 PM
    <
    <Session reconnected to winstation:
    < User Name: norseld.jason
    < Domain: NORSELD
    < Logon ID: (0x0,0x8AD8D59)
    < Session Name: RDP-Tcp#12
    < Client Name: ELITE
    < Client Address: x.x.x.x
    <
    <All the user names are Norseld.Jason, not the Jason.surname as you said in
    <the post. Logon Type is 10, this shows a user logged on to this computer
    <remotely using Terminal Services or a Remote Desktop connection.
    <
    <Please let me know if you RDP to server with username: Norseld.Jason. If
    <not, please reset the password for Norseld.Jason and try again. Also check
    <the if x.x.x.x if IP address of your workstation.
    <
    <Based on my experience, the PRC over HTTP for Outlook and RDP feature will
    <not cause potential network risk and is not the root cause of this issue.
    <So it's not recommended to disable them.
    <
    <I am looking forward to hear from you.
    <
    <If you need further assistance, please don't hesitate to let me know.
    <
    <Best regards,
    <
    <Robert Li(MSFT)
    <
    <Microsoft CSS Online Newsgroup Support
    <
    <Get Secure! - www.microsoft.com/security
    <
    <=====================================================
    <
    <This newsgroup only focuses on SBS technical issues. If you have issues
    <regarding other Microsoft products, you'd better post in the corresponding
    <newsgroups so that they can be resolved in an efficient and timely manner.
    <You can locate the newsgroup here:
    <http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    <
    <When opening a new thread via the web interface, we recommend you check
    the
    <"Notify me of replies" box to receive e-mail notifications when there are
    <any updates in your thread. When responding to posts via your newsreader,
    <please "Reply to Group" so that others may learn and benefit from your
    <issue.
    <
    <Microsoft engineers can only focus on one issue per thread. Although we
    <provide other information for your reference, we recommend you post
    <different incidents in different threads to keep the thread clean. In
    doing
    <so, it will ensure your issues are resolved in a timely manner.
    <
    <For urgent issues, you may want to contact Microsoft CSS directly. Please
    <check http://support.microsoft.com for regional support phone numbers.
    <
    <Any input or comments in this thread are highly appreciated.
    <
    <=====================================================
    <
    <This posting is provided "AS IS" with no warranties, and confers no rights.
    <
    <--------------------
    <<X-Tomcat-ID: 24598932
    <<References: <>
    <<>
    <<>
    <<MIME-Version: 1.0
    <<Content-Type: text/plain
    <<Content-Transfer-Encoding: 7bit
    <<From: (Robert Li [MSFT])
    <<Organization: Microsoft
    <<Date: Thu, 06 Dec 2007 02:36:47 GMT
    <<Subject: RE: Multiple Log In Attemps on SBiz DC
    <<X-Tomcat-NG: microsoft.public.windows.server.sbs
    <<Message-ID: <>
    <<Newsgroups: microsoft.public.windows.server.sbs
    <<Lines: 30
    <<Path: TK2MSFTNGHUB02.phx.gbl
    <<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80334
    <<NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
    <<
    <<From customer's e-mail:
    <<
    <<Hi Robert
    <<Thanks for your reply.
    <<Please find attached the security log files -the problematic account is
    <<Jason.Vassos
    <<
    <<In answer to your questions:
    <<1.) Remote admin was RDP
    <<2.) Yes my account belongs to the domain admins account
    <<3.) There are no stored user passwords on the server -have checked
    nothing
    <<to clear
    <<4.) I have checked all of the services and none of them attempt to run
    <<under my old account. Please let me know if you require me to follow this
    <<step through fully -rung msconfig and then disable the micrsoft services
    -
    <<I didnt do this as I was unsure if I could remote desktop back in (my
    only
    <<way to do admin on the server at the moment - if a console session is
    <<required i can try and make time to go onsite later this week.)
    <<5.) I have checked and the scheduled tasks do not run under my disabled
    <<account
    <<
    <<I have suggested that the use https OWA instead of RDPing into the server
    <<to start an Outlook session.
    <<Also have suggested implementing a VPN and disabling 3389 on the router
    as
    <<it just invites someone to have a crack.
    <<
    <<Thanks again for your - really appreciate it.
    <<Regards
    <<Jason Vassos
    <<
    <<
    <
    <
     
    Robert Li [MSFT], Dec 7, 2007
    #6
  7. Hi Jason,

    I'd like to make a summary for this post:

    Problem: You did remote administration with your account before. Recently
    there were events shows you logging on server every 15
    minutes.

    Cause: The problem is caused by third party software Trend Micro.

    Solution: Remove your older account information in Trend Micro.

    For future postings, I would like to list the following information as a
    guideline when submitting new posts in the future. This information will
    help us to understand the issue and situation more quickly. Thank you!

    1. Has the server/client/product ever worked?
    2. If so, what changed?
    3. What service packs and updates were applied?
    4. What are the steps to reproduce the problem?
    5. Does it happen the same way on any other systems?
    6. Please provide the exact error message with any screenshots, if possible.

    If you need any assistance in the future, please feel free to post in our
    newsgroup.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <X-Tomcat-ID: 103831957
    <References: <>
    <>
    <>
    <>
    <>
    <MIME-Version: 1.0
    <Content-Type: text/plain
    <Content-Transfer-Encoding: 7bit
    <From: (Robert Li [MSFT])
    <Organization: Microsoft
    <Date: Fri, 07 Dec 2007 11:26:29 GMT
    <Subject: RE: Multiple Log In Attemps on SBiz DC
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <Message-ID: <>
    <Newsgroups: microsoft.public.windows.server.sbs
    <Lines: 211
    <Path: TK2MSFTNGHUB02.phx.gbl
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80599
    <NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
    <
    <Hi Jason,
    <
    <Thanks for your reply.
    <
    <After your made clean boot, the event didn't appear again. It seems the
    <problem is caused by third party software. You can arrange time to disable
    <Trend Micro software to see if the problem will disappear. It so, we can
    <narrow down Trend Micro is the root cause. On how to remove your older
    <account information in Trend Micro, since that's third party product,
    <please contact the manufacture for more help. Thanks for your
    understanding.
    <
    <If you need further assistance, please don't hesitate to let me know.
    <
    <Best regards,
    <
    <Robert Li(MSFT)
    <
    <Microsoft CSS Online Newsgroup Support
    <
    <Get Secure! - www.microsoft.com/security
    <
    <=====================================================
    <
    <This newsgroup only focuses on SBS technical issues. If you have issues
    <regarding other Microsoft products, you'd better post in the corresponding
    <newsgroups so that they can be resolved in an efficient and timely manner.
    <You can locate the newsgroup here:
    <http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    <
    <When opening a new thread via the web interface, we recommend you check
    the
    <"Notify me of replies" box to receive e-mail notifications when there are
    <any updates in your thread. When responding to posts via your newsreader,
    <please "Reply to Group" so that others may learn and benefit from your
    <issue.
    <
    <Microsoft engineers can only focus on one issue per thread. Although we
    <provide other information for your reference, we recommend you post
    <different incidents in different threads to keep the thread clean. In
    doing
    <so, it will ensure your issues are resolved in a timely manner.
    <
    <For urgent issues, you may want to contact Microsoft CSS directly. Please
    <check http://support.microsoft.com for regional support phone numbers.
    <
    <Any input or comments in this thread are highly appreciated.
    <
    <=====================================================
    <
    <This posting is provided "AS IS" with no warranties, and confers no rights.
    <
    <--------------------
    <<X-Tomcat-ID: 33757588
    <<References: <>
    <<>
    <<>
    <<>
    <<MIME-Version: 1.0
    <<Content-Type: text/plain
    <<Content-Transfer-Encoding: 7bit
    <<From: (Robert Li [MSFT])
    <<Organization: Microsoft
    <<Date: Thu, 06 Dec 2007 03:34:19 GMT
    <<Subject: RE: Multiple Log In Attemps on SBiz DC
    <<X-Tomcat-NG: microsoft.public.windows.server.sbs
    <<Message-ID: <>
    <<Newsgroups: microsoft.public.windows.server.sbs
    <<Lines: 135
    <<Path: TK2MSFTNGHUB02.phx.gbl
    <<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80338
    <<NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
    <<
    <<Hi Jason,
    <<
    <<Thanks for your reply.
    <<
    <<Based on my research, this issue may be caused by third party software.
    <<Please try a clean boot to have check. Clean boot will not affect you
    <<logging on via RDP, it only disable third party services.
    <<
    <<Note: When run the msconfig command, please click Services tab and select
    <<Hide All Microsoft Services and Disable All third party Services, not
    <<disabling All Microsoft Services.
    <<
    <<I researched your logs and found the following events:
    <<
    <<Event ID: 538
    <<Date: 12/5/2007
    <<Time: 4:59:13 PM
    <<Description:
    <<User Logoff:
    << User Name: Norseld.Jason
    << Domain: NORSELD
    << Logon ID: (0x0,0x8B6D671)
    << Logon Type: 10
    <<
    <<
    <<Event ID: 682
    <<Date: 12/5/2007
    <<Time: 4:59:02 PM
    <<Description:
    <<Session reconnected to winstation:
    << User Name: norseld.jason
    << Domain: NORSELD
    << Logon ID: (0x0,0x8AD8D59)
    << Session Name: RDP-Tcp#12
    << Client Name: ELITE
    << Client Address: x.x.x.x
    <<
    <<Event ID: 682
    <<Date: 12/5/2007
    <<Time: 4:59:02 PM
    <<
    <<Session reconnected to winstation:
    << User Name: norseld.jason
    << Domain: NORSELD
    << Logon ID: (0x0,0x8AD8D59)
    << Session Name: RDP-Tcp#12
    << Client Name: ELITE
    << Client Address: x.x.x.x
    <<
    <<All the user names are Norseld.Jason, not the Jason.surname as you said
    in
    <<the post. Logon Type is 10, this shows a user logged on to this computer
    <<remotely using Terminal Services or a Remote Desktop connection.
    <<
    <<Please let me know if you RDP to server with username: Norseld.Jason. If
    <<not, please reset the password for Norseld.Jason and try again. Also
    check
    <<the if x.x.x.x if IP address of your workstation.
    <<
    <<Based on my experience, the PRC over HTTP for Outlook and RDP feature
    will
    <<not cause potential network risk and is not the root cause of this issue.
    <<So it's not recommended to disable them.
    <<
    <<I am looking forward to hear from you.
    <<
    <<If you need further assistance, please don't hesitate to let me know.
    <<
    <<Best regards,
    <<
    <<Robert Li(MSFT)
    <<
    <<Microsoft CSS Online Newsgroup Support
    <<
    <<Get Secure! - www.microsoft.com/security
    <<
    <<=====================================================
    <<
    <<This newsgroup only focuses on SBS technical issues. If you have issues
    <<regarding other Microsoft products, you'd better post in the
    corresponding
    <<newsgroups so that they can be resolved in an efficient and timely
    manner.
    <<You can locate the newsgroup here:
    <<http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    <<
    <<When opening a new thread via the web interface, we recommend you check
    <the
    <<"Notify me of replies" box to receive e-mail notifications when there are
    <<any updates in your thread. When responding to posts via your newsreader,
    <<please "Reply to Group" so that others may learn and benefit from your
    <<issue.
    <<
    <<Microsoft engineers can only focus on one issue per thread. Although we
    <<provide other information for your reference, we recommend you post
    <<different incidents in different threads to keep the thread clean. In
    <doing
    <<so, it will ensure your issues are resolved in a timely manner.
    <<
    <<For urgent issues, you may want to contact Microsoft CSS directly. Please
    <<check http://support.microsoft.com for regional support phone numbers.
    <<
    <<Any input or comments in this thread are highly appreciated.
    <<
    <<=====================================================
    <<
    <<This posting is provided "AS IS" with no warranties, and confers no
    rights.
    <<
    <<--------------------
    <<<X-Tomcat-ID: 24598932
    <<<References: <>
    <<<>
    <<<>
    <<<MIME-Version: 1.0
    <<<Content-Type: text/plain
    <<<Content-Transfer-Encoding: 7bit
    <<<From: (Robert Li [MSFT])
    <<<Organization: Microsoft
    <<<Date: Thu, 06 Dec 2007 02:36:47 GMT
    <<<Subject: RE: Multiple Log In Attemps on SBiz DC
    <<<X-Tomcat-NG: microsoft.public.windows.server.sbs
    <<<Message-ID: <>
    <<<Newsgroups: microsoft.public.windows.server.sbs
    <<<Lines: 30
    <<<Path: TK2MSFTNGHUB02.phx.gbl
    <<<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80334
    <<<NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
    <<<
    <<<From customer's e-mail:
    <<<
    <<<Hi Robert
    <<<Thanks for your reply.
    <<<Please find attached the security log files -the problematic account is
    <<<Jason.Vassos
    <<<
    <<<In answer to your questions:
    <<<1.) Remote admin was RDP
    <<<2.) Yes my account belongs to the domain admins account
    <<<3.) There are no stored user passwords on the server -have checked
    <nothing
    <<<to clear
    <<<4.) I have checked all of the services and none of them attempt to run
    <<<under my old account. Please let me know if you require me to follow
    this
    <<<step through fully -rung msconfig and then disable the micrsoft services
    <-
    <<<I didnt do this as I was unsure if I could remote desktop back in (my
    <only
    <<<way to do admin on the server at the moment - if a console session is
    <<<required i can try and make time to go onsite later this week.)
    <<<5.) I have checked and the scheduled tasks do not run under my disabled
    <<<account
    <<<
    <<<I have suggested that the use https OWA instead of RDPing into the
    server
    <<<to start an Outlook session.
    <<<Also have suggested implementing a VPN and disabling 3389 on the router
    <as
    <<<it just invites someone to have a crack.
    <<<
    <<<Thanks again for your - really appreciate it.
    <<<Regards
    <<<Jason Vassos
    <<<
    <<<
    <<
    <<
    <
    <
     
    Robert Li [MSFT], Dec 13, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.