Event ID 529 - possible hack attempt?

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ****
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CLOMAIL
       Caller User Name:      CLOMAIL$
       Caller Domain:      ****
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      608
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

There are about 1000 of these spread over a half-hour peiod yesterday. I have since implemented tight account locking policies, but I would still like to know if this was a hack attempt or a system password mis-match
Who is Participating?
gidds99Connect With a Mentor Commented:
Account locking policies do not apply to the "Administrator" account.  Unlimited attempts can be made to guess this password regardless of any locking policy.  To prevent such attacks it is recommended that the "Administrator" account is renamed.
5t34lth_G33kAuthor Commented:
I had originally disabled the administrator account and created an alternative admin account with all the same privellages, but it fell over when I was trying to take GC ownership on a temporary DC. Seems it only likes the administrator account to do that. I will do what you suggest!
Also, by picking a sufficiently long password for Administrator, you can pretty much foil such attempts.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

5t34lth_G33kAuthor Commented:
Thanks for your suggestion - its actually already quite strong, so Im hoping our friendly neighbourhood hacker wasnt successful in his attmepts.

Just to check - is there anywhere I can check to see if this really was a hack attempt? Does Windows store the IP address of a terminal trying to authenticate?
The IP address is not logged by Windows.  The only possible way to record such IP addresses would be if you have a firewall with logging enabled.
5t34lth_G33kAuthor Commented:
that sounds like a whole other question - I will award points to you gidds99, since you answered the original question and provided tips on how to avoid it in the future.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.