Learn how to a build a cloud-first strategyRegister Now


Event ID 529 - possible hack attempt?

Posted on 2006-05-24
Medium Priority
Last Modified: 2013-12-04
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ****
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CLOMAIL
       Caller User Name:      CLOMAIL$
       Caller Domain:      ****
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      608
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

There are about 1000 of these spread over a half-hour peiod yesterday. I have since implemented tight account locking policies, but I would still like to know if this was a hack attempt or a system password mis-match
Question by:5t34lth_G33k
  • 3
  • 2
LVL 12

Accepted Solution

gidds99 earned 1000 total points
ID: 16750162
Account locking policies do not apply to the "Administrator" account.  Unlimited attempts can be made to guess this password regardless of any locking policy.  To prevent such attacks it is recommended that the "Administrator" account is renamed.

Author Comment

ID: 16750233
I had originally disabled the administrator account and created an alternative admin account with all the same privellages, but it fell over when I was trying to take GC ownership on a temporary DC. Seems it only likes the administrator account to do that. I will do what you suggest!
LVL 32

Expert Comment

ID: 16751483
Also, by picking a sufficiently long password for Administrator, you can pretty much foil such attempts.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 16751576
Thanks for your suggestion - its actually already quite strong, so Im hoping our friendly neighbourhood hacker wasnt successful in his attmepts.

Just to check - is there anywhere I can check to see if this really was a hack attempt? Does Windows store the IP address of a terminal trying to authenticate?
LVL 12

Expert Comment

ID: 16751726
The IP address is not logged by Windows.  The only possible way to record such IP addresses would be if you have a firewall with logging enabled.

Author Comment

ID: 16751894
that sounds like a whole other question - I will award points to you gidds99, since you answered the original question and provided tips on how to avoid it in the future.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
OfficeMate Freezes on login or does not load after login credentials are input.
Integration Management Part 2
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month21 days, 3 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question