[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SBS Security Event: Failure Audit - How to I track source?

Posted on 2009-04-15
2
Medium Priority
?
777 Views
Last Modified: 2013-12-04
Hi Guys,

Every so often one of the SBS Servers we manage reports a series of failure audits (around 10-30 at a time). The usernames which appear are generally not in AD (So makes me think its some sort of dictionary attack?).   As shown in the example event below, there is no indication of source IP or Port (Caller Process ID seems to vary).

A bit of background on the server:

It is a SBS 2k3 R2 Server (behind a sonicwall) with the latest Microsoft updates (as of the beginning of April) and has only got RDP, SMTP and SSL being forwarded to it.

Can anyone provide me some advice on how to pin point where this attack is coming from? And what the attacker is trying to exploit?

***EXAMPLE***

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            <DATE>
Time:            <TIME>
User:            NT AUTHORITY\SYSTEM
Computer:      <SBS SERVER NAME>
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      <SERIES OF INVALID USER NAMES>
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      <SBS SERVER NAME>
       Caller User Name:      <SBS SERVER NAME>$
       Caller Domain:      <DOMAIN NAME>
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2868
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thanking you all in advance for any assistance provided.
0
Comment
Question by:sa1ntx
2 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 900 total points
ID: 24208187
hi sa1ntx,

have you ever reviewed this KB?

Kerberos Event ID: 529 is logged when you use a local user account to verify security access or group membership on a Windows Server 2003-based Kerberos client
http://support.microsoft.com/kb/890477

hope it helps,
bbao
0
 

Author Closing Comment

by:sa1ntx
ID: 31570818
Hi Bbao, thanks for providing some assistance. It doesnt appear that the MS article resolves the issue we are currently having. However, since no one else has provided any assistance, Im awarding the points to you.

Im actually going to log a ticket with microsoft and see if they can provide information on how to troubleshoot these types of errors.

Thanks again mate.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month19 days, 8 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question