Question

Locked

Help, is someone really trying to access network from disabled acct?

By nance459 ·
Can you please help me figure out why I am getting the following error message for network login failure where the login shows a disabled guest account? First some background, I am running a Dell d830 with Vista ultimate and have all passwords for web on smartcard, encrypt all slightly personal data on the computer using ntfs and have all extremely important data is kept on external hard drive. I am logging in under regular user acct (using a fingerprint scanner in conjunction with my smartcard to validate both bios and windows login). For internet access I am using a wireless router with firewall and am not broadcasting sid, using wep-psk with tkip, and use mac filtering for the two laptops that connect in my household. I am running a firewall, spamblocker, virus checker on the computers also, I have renamed the guest account and disabled it and turned off anonymous access and denied network access to both the guest and anonymous users, denied local access to the guest account, and do not use sharing and disabled all administrative shares. I have run the Microsoft baseline analyzer and is gives me a clean bill?all updates applied and unnecessary services turned off. Can anyone tell my why yesterday I got the audit failure for the guest account? I have had the computer up only since 7-1-08.
Here is the message:
Audit Failure 8/5/2008 10:08:04 AM Microsoft Windows security auditing. 4625 Logon
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/5/2008 10:08:04 AM
Event I 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: (name of my computer)
Description:
An account failed to log on.

Subject:
Security I (PC-name)\(my login acct name)
Account Name: (my login acct)
Account Domain: (pc-name)
Logon I 0x73489

Logon Type: 3

Account For Which Logon Failed:
Security I NULL SID
Account Name: (guest acct name)
Account Domain: (pc name)

Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072

Process Information:
Caller Process I 0xe44
Caller Process Name: C:\Windows\explorer.exe

Network Information:
Workstation Name: (pc name)
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

My guess

by -Q-240248 In reply to Help, is someone really t ...

It looks like it's coming from your machine. So maybe someone's trying to logon to that account from your machine? What happens at that time? Do you have a service or program under that username trying to run?

Collapse -

Thanks, great questions.

by nance459 In reply to My guess

I was reading my email, logged in on my account non-administrator acct and the mouse started acting as if I wasn't controlling it. I was not trying to open any attachment etc, just logged into my normal email and reading(I do not allow HTML on any email until I know it is safe), I didn't have any other programs running, just IE and normal boot items--I quickly shut down my internet connection and looked at the logs and saw the security message.


There are no programs set up to run under the guest acct--I tend to not allow automatic scans etc as I like to do all computers at same time and as my schedule varies it doesn't make sense to schedule something that won't run.

BTW it is only my husband and I @ the home,but he just happened to be at work when this happened. (He has his own laptop anyway)

I had a similar incidence happen in June, where on 4 occasions at unrelated times this occurred-- I purchased the computer November and began having the suspicious logins in June (I hadn't added any new programs since January) by the end of June, after trying to locate why it started, I decided to do a clean install and get rid of any junk that might have caused it... I only have purchased software on the machine.

Maybe a ghost was doing it. LOL

I am still confused.

Collapse -

This may help to explain it

by Jacky Howe In reply to Help, is someone really t ...

Windows Security Log Event ID 4625

http://www.ultimatewindowssecurity.com/wiki/SecurityLogEventID4625.ashx

Collapse -

Thanks

by nance459 In reply to This may help to explain ...

Thanks, I have a similar document but that would have been great info. I still just can't quite figure out how it would have occurred. I could understand more if I was doing something or I saw it occur all the time. Lately I only use the computer to access my yahoo group and or for email.

Collapse -

Where were you at that moment in time ? ...

by OldER Mycroft In reply to Help, is someone really t ...

What were you doing on this network at that point in time?
Assuming this Guest account is on YOUR machine it couldn't be accessed if you were sitting there, logged into another account.

Why did you build all this security around an unused account?
Why not just get shot of it?

Collapse -

What was I doing

by nance459 In reply to Where were you at that mo ...

I appreciate the suggestion. First here's what I was doing... I was reading my email, logged in on my account non-administrator acct and the mouse started acting as if I wasn't controlling it. I was not trying to open any attachment etc, just logged into my normal email and reading(I do not allow HTML on any email so that also couldn't be it), I didn't have any other programs running, just IE and normal boot items--There are no programs set up to run under this acct nor were there any programs scheduled to run. In any case, those have been setup to use the my user or admin acct.
I quickly shut down my internet connection and looked at the logs and saw the security message. BTW it is only my husband and I @ the home,but he just happened to be at work when this happened. (He has his own laptop anyway or a desktop he can access)

As for your suggestion of getting rid of the account, thanks, that would appear to be a solution-- I was taught long ago that implicit denial is usually greater security for a computer and it allows for tracking events. By getting rid of the account you can leave a gaping hole in your defense, by leaving it you can control it by DACL "Creating a proper discretionary access control list (DACL) is a necessary and important part of application development. Because a NULL DACL permits all types of access to all users, do not use NULL DACLs."http://msdn.microsoft.com/en-us/library/ms717798(VS.85).aspx
or " In NT, the Guest account lets people log on to an NT computer when they don't have a personal account defined on the computer, in the computer's domain, or in any of the domains that the computer's domain trusts. Like the Administrator account, the Guest account is a built-in account with a fixed SID; although you can rename the account, it can't?by default?be deleted. Unlike the Administrator account, the Guest account doesn't require a password for logon, which is why it's disabled by default."

http://www.windowsitsecurity.com/article/articleid/24054/deleting-the-nt-guest-account.html

Back to Malware Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums