Link to home
Create AccountLog in
Avatar of Calvin Close
Calvin CloseFlag for United States of America

asked on

Event ID 529 from Outside Network; Do I need to do something?

What is the meaning of this Security Log?

Source Event ID Last Occurrence Total Occurrences
  Security 529 3/4/2008 5:03 AM 25 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: administrator
  Domain: <DOMAINNAME>
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: <SBSSERVERNAME>
  Caller User Name: <SBSSERVERNAME>$
  Caller Domain: <DOMAIN NAME>
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 9844
  Transited Services: -
  Source Network Address: (External IP Address from the Netherlands)
  Source Port: 2542
 
Is this something that I should be concerned about?  If so, what should I do about it?
Avatar of Member_2_49692
Member_2_49692

If you get a bunch of these and do not have clients from the netherlands and your not running an application on port 2542 (which I highly doubt on all of this)

It basically means someone is trying to break into your sever. Most likely with a brute force application and port scanner.

Currently they are trying to connect on port 2542

which according to IANA is
udrawgraph      2542/tcp   uDraw(Graph)
udrawgraph      2542/udp   uDraw(Graph)

They are trying to use the account named Administrator
You should currently have implemented renaming and disabling the default Administrator account and creating a seperate new administrator account (not named administrator) in addition to using a strong password. This will prevent them from getting in through the default Administrator account.

If you have not implemented this I would now.

If you have the IP address you could block it at the firewall. You can also configure the firewall to drop packets for that port unless you do have an application that operates on that port.

Additionally you may want to use a program like Nessus to do a scan on your network systems for vulnerability. This will automatically identify common exploits and patches you may need in addition to incorrectly configured permissions on directories that could compromise your system

http://www.nessus.org
Avatar of Calvin Close

ASKER

Why should you rename AND disable the default Administrator account?
This account has an email address (Administrator@domain.com) that is used for notification by some network programs.
If I disable and create a new account, I can't continue the use of this email address with the new account. Correct?
So, in the mean time, I have renamed the Administrator account to something obscure and changed the password to a strong password.
I installed Nessus and ran it - I'm still going through some of the results.  By the way, should you run the test on localhost, or should you run it on the local SBS IP address?
ASKER CERTIFIED SOLUTION
Avatar of Member_2_49692
Member_2_49692

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I disagree renaming is not sufficient...

you also need to protect your network and have multiple layers of security if you are simply relying on a firewall to prevent unauthorized access and have not hardened your security across the board you leave many holes in your security to be exploited.
Your security is only as good as it's weakest link.

from the above article

"First, the Administrator account on every Windows computer in existence has a similar Security Identifier (SID). The SID is the alpha-numeric character set that is used by the operating system to track the account and grant access to resources. Whether we are talking about the Administrator account in the first Active Directory domain or the account on a Windows 2000 Professional computer, the SID always ends in 500"

"What this provides is an easy target for attackers. Since the SID always ends with 500, they can target the account simply by enumerating the SIDs from Active Directory or the local SAM. This might sound difficult, but tools such as SID2USER and USER2SID have already taken much of the difficulties out of this task for you."