Asked By Bruce Sanderson
31-Jul-08 10:05 PM
From Performance Monitor's Explain text for the Server, Error Logon
are being used to crack the security on the server.".
From what I can tell from experimenting, this reports the number of attempts to connect to a
resource provided by the "Server" service (e.g. a folder share) that failed (was rejected) becuase
of incorrect credentials send from the client. Logons failures via RDP don't seem to be counted by
this counter. This counter does not appear to related to the time interval displayed in Performance
Monitor's graph, but rather the number reported since the OS was restarted.
A few would be normal, but if you are seeing the value increase rapidly, this could indicate some
kind of automated "attack" attempt.
--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.