A little bit of 529's

wehuberconsultingllc.com » Blog Archive » A little bit of 529’s

wehuberconsultingllc.com » Blog Archive » A little bit of 529’s — Thu, 27 Dec 2007 18:46:15 GMT

Pingback from wehuberconsultingllc.com » Blog Archive » A little bit of 529’s

re: A little bit of 529's

Ryan O'Dwyer — Sat, 08 Dec 2007 01:45:00 GMT

you can turn off authentication on the SMTP Instance, thus disabling the AUTH verbs for any external smtp access(for those not using 3rd party filtering), therefore disabling anyone attempting to send authenticated email. Everyone I know uses OWA/RWW, no need to leave authentication turned on for things that noone uses.

One of the ways to show IP access is view the WWW(\windows\system32\logs\w3svc) logs, but if you use windows mobile push email, then your www logs get filled with the phone access.

re: A little bit of 529's

Boon Tee — Sat, 01 Dec 2007 04:06:08 GMT

I've done this for most of my servers, except that I don't check the success audit box.

Every so often, more so, in the past few months, I get a batch of 30-50 attempts in the space of a few minutes on a server with various usernames, but no IP address. Often, the Logon Process is Advapi.

The most common is the off and on single attempt as per above Advapi process, and username Webmaster. I see a few of these every day on various servers.

It's hard to look through the lot of emails carefully when there are 190 such emails in your inbox, as there were this morning.

Conversely, is there a way to check a normal RWW or OWA login attempt (success or not) and gather the IP information. I have been trying to figure out what event ID is logged.