SBS 2003 R2 - Event 529 - Failed Login attempts from external IP

Posted on 2007-10-18
Last Modified: 2013-12-04

Running Windows SBS 2003 R2 with RWW and OWA enabled through relevant Port Forwards on our external Hardware Firewall.

Last night came across the following Event ID entries, with 35 entries logged under Event ID 529:-

"Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      administrator
       Domain:      OURDOMAIN
       Logon Type:      10
       Logon Process:      User32
       Authentication Package:      Negotiate
       Workstation Name:      OURSERVER
       Caller User Name:      OURSERVER$
       Caller Domain:      OURDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      7172
       Transited Services:      -
       Source Network Address:
       Source Port:      11791"

Whilst I'm familiar with Event 529 errors, this is the first I've come across from an external IP address.

The address seems to nslookup to a host in Germany, definitely not one of our workers then!

I'm unfamiliar with Source Port 11791 though.

Two questions:-

1. Is this an unauthorised user trying to login via Remote Web Workplace?
2. If so - is there anything I can do to harden up the security to prevent hack attempts like this in future?

Any suggestions appreciated.


Richard Tubb.
Question by:netlinkrtubb
    LVL 15

    Accepted Solution

    quote from

    When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesnt use logon type 10 and terminal services logons are reported as logon type 2.

    Hope this helps.

    Author Comment

    Thanks Mark.

    Neglected to mention that I'd read that same article just before posting - but thanks for posting it anyway. :-)

    Presumably this logon attempt is somebody either attempting to access the SBS 2003 server directly by TS (Port 3389 is forwarded on our Firewall) - or by logging in through RWW then?


    Richard Tubb.

    Author Comment

    Had another spate of login attempts overnight, this time from a different IP address using common logon names such as "user", "administrator", "swpupd", "besadmin", etc.

    My question is - how can I harden off RWW to prevent against these attempts (or should I just accept them as a matter of fact) - and is there any way to block future attempts from the unauthorised IP addresses that are attempting to access RWW?


    Richard Tubb.

    Author Comment

    Once again, another spate of logon attempts from the same IP address.

    I've taken the step of going into IIS Manager on SBS 2003, and adding the IP address in question to the list of "Denied" addresses for RWW.

    Can anybody suggest whether this would be the best course of action?


    Richard Tubb.

    Author Comment

    Another spate of attacks today, from a new IP address, probing the usernames "admin" and "Administrator".

    I've subsequently added that IP address to the Denied addresses for the RWW Virtual Web-Site in IIS Manager, but am curious to find out whether there is a more pro-active way of stopping these types of attacks.


    Richard Tubb.
    LVL 2

    Assisted Solution

    I've been dealing with similar login attempts on some SBS 2003 Servers with Login Type 3, which can come from the RWW initial login screen, or from SMTP attack.  I've been refered to RWW-Guard from Scorpion Software, which adds two factor authentication to RWW:
    Another option is Auth-Anvil from the same company:

    I was hoping to find a solution to block login after multiple failed attempts, but have not discovered a solution as of yet.
    Syscom Digital Technologies, LLC.

    Author Comment

    Thanks for the posts all.

    The unauthorised login attempts (Type 10) I was encountering were as a result of Port 3389 (Terminal Services) being un-necessarily open. Now I've closed off this port, the login attempts have dropped substantially.

    Going forwards, Scott's suggestion of two factor authentication for RWW is a good one - Auth-Anvil has some high recommendations from what I've read.

    After a couple of months of observation, I'm seeing very few Login Type 3 attempts now - so it would seem locking down Port 3389 and a strong password policy are the best first steps to take if you're experiencing this same issue.


    Richard Tubb.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now