What does it mean logs on NT Security event viewer?

Posted on 2001-06-17
Last Modified: 2010-04-11

    I have a server NT4 SP6, I always monitor my NT security event viewer.  I just wondering sometimes I always received a security log type: "failure Audit"
Event ID: 529
  Logon Failure:
  Reason: Unknown user name or bad password
  User name: DENIS HAWES
  domain: CHAMBERS
  logon Type: 3
  logon process:  KSecDD
  Authentication package:
  Workstation Name: \\ DENIS

   What does it means?  All the information above the user, domain & workstation name are all irrelevant and does not exist on our network. We don't have firewall but according to our ISP they have. Is it okey?
   We are connected via modem 56KBPS to our local ISP.
  Please help.
Question by:bubana
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Expert Comment

ID: 6202363
It means someone tried to login to your server using this information.  If your server has NTFS-protected directories (i.e., if the security does not provide open access for the "Everyone" group), when a user tries to access anything on the server, NT will issue a challenge/response, i.e., a logon dialog box will appear.  If the user fills in something, they will either be authenticated to access the resource they requested, or they will be denied (if their credentials do not match those of an authorized user).

Since this user is providing quite a bit of information here, I would suggest this is probably an error, rather than an attempt to hack your network.

However, if this recurs, I would suggest you evaluate your security, particularly the idea of having a firewall.  Better that you should be in control, rather than depending upon an ISP for protection.

You might ask your ISP if the domain and user make any sense to them.  There is a small possibility that this is one of their employees who is inadvertantly attempting to do something which points them to your network.

LVL 12

Accepted Solution

Housenet earned 5 total points
ID: 6204769
bubana I would interprite this as an attempt to gain access to your server..
-To test if your ISP is trully "protecting" your server...try this simple test..
1. Connect online with the 56k modem.. Get  your IP from the connection info after connected.. Say its
2. From a seperate connection (a friend on a different ISP would be ideal)... Ask him to see what happens when he tries to type this from run \\  (anything happen?)
3. tell him to try from an NT at the cmd prompt
net use \\\c$ /User:Administrator (Does it ask to supply the password?)
-If either of these tests ask for credentials or passwords then your ISP is not doing jack for you in terms of protection because the netbios ports 135-139 are open...
-If you give me your IP while you're online & these ports are open I can give you, your domain name, server name, all acounts, services, shares, probably the passwords for several of the accounts as well... Would you like to try it ?

Author Comment

ID: 6204803

   I have a Follow up question,  via what way the hacker enters to our network? Our setup here is a dial-up connection 56kbps to our ISP in order to access internet.  My modem configures as dial-out only.  I forgot to tell you sometimes i got a logged user name as "anonymous" on category "logon/logoff" successfully without any username & domain info.  It does means they are log successfully to our domain without valid username domain authentication?
   What are network resources of ours this hackers access?
   Thanks for the information.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  


Expert Comment

ID: 6206221
The Anonymous logon means someone has accessed a resource on your network.

If you are truly concerned about what is being done, I would suggest you audit access to all files.  This can be processor intensive, but it will tell you who is accessing what.

Does your network have Win95/98 machines on it?  Is everyone using the network required to have a valid logon id?  Are all the directories/sites on your web server configured to deny anonymous access (or, more specifically, not to allow it)?

NT is not terribly secure unless you make it so.  By default, the Everyone group is granted access to resources with Full Control.  This represents a great security risk, and you would be advised to pick up some information on NT security (there are whitepapers and books available which will help).

Sometimes, however, it is not that someone is trying to do something malicious, just that the configuration of the server makes it appear so.

Wish I could be more assistance.

LVL 12

Expert Comment

ID: 6208968
-So banana, hows it going with your problem >?

Author Comment

ID: 6213031

        working fine. I mean network still up and running.
The command you gave me got a syntax problem, I can't figure it out.  
        Thanks for your effort partner.
LVL 12

Expert Comment

ID: 6214282
-What command ?

Author Comment

ID: 6223145

   This command:

net use \\\c$ /User:Administrator (Does it ask to supply the password?)

  I changed Ip to our IP's domain name.  It flash an error "system error 67 has occurred.  The network name cannot be found"  What does it mean? Syntax error?
LVL 12

Expert Comment

ID: 6223148
bubana thats a good sign.. It means that the netbios ports are probably blocked & your ISP is really doing as they say..

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question