Event ID 529 - possible hack attempt?

Posted on 2006-05-24
Last Modified: 2013-12-04
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ****
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CLOMAIL
       Caller User Name:      CLOMAIL$
       Caller Domain:      ****
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      608
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

There are about 1000 of these spread over a half-hour peiod yesterday. I have since implemented tight account locking policies, but I would still like to know if this was a hack attempt or a system password mis-match
Question by:5t34lth_G33k
    LVL 12

    Accepted Solution

    Account locking policies do not apply to the "Administrator" account.  Unlimited attempts can be made to guess this password regardless of any locking policy.  To prevent such attacks it is recommended that the "Administrator" account is renamed.
    LVL 7

    Author Comment

    I had originally disabled the administrator account and created an alternative admin account with all the same privellages, but it fell over when I was trying to take GC ownership on a temporary DC. Seems it only likes the administrator account to do that. I will do what you suggest!
    LVL 32

    Expert Comment

    Also, by picking a sufficiently long password for Administrator, you can pretty much foil such attempts.
    LVL 7

    Author Comment

    Thanks for your suggestion - its actually already quite strong, so Im hoping our friendly neighbourhood hacker wasnt successful in his attmepts.

    Just to check - is there anywhere I can check to see if this really was a hack attempt? Does Windows store the IP address of a terminal trying to authenticate?
    LVL 12

    Expert Comment

    The IP address is not logged by Windows.  The only possible way to record such IP addresses would be if you have a firewall with logging enabled.
    LVL 7

    Author Comment

    that sounds like a whole other question - I will award points to you gidds99, since you answered the original question and provided tips on how to avoid it in the future.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video discusses moving either the default database or any database to a new volume.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now