Failure Audit - Event ID 529
Hi,
We run SBS2003 and I have been getting emails that read:
Subject Line: "Account Lockout (Event ID: 539) Alert on SERVER"
I then went to the SBS server to check out the Security event viewer and saw that event ID 539 occurred once but Event ID 529 has been occurring frequently. (See Attached picture for example).
There are multiple event ID 529 instances logged even today. The wierd thing is that each event logged notes a different username. If you will notice in picture1 where it says "Username: texas." The other event 529's look the same but all have different usernames, and these usernames are not at all anything like any valid username. Other examples of invalid usernames that are appearing are : q1w2e3, radio, pizza, piano (see picture 3)
1. What does this mean?
2. Is someone or some virus is making attempts to access our network?
3. Should I be concerned?
4. How can I track down and eliminate the source of this.
Thanks for your help!!
Audit-Failure1.png
Audit-Failure.png
Audi-Failure-2.png
We run SBS2003 and I have been getting emails that read:
Subject Line: "Account Lockout (Event ID: 539) Alert on SERVER"
I then went to the SBS server to check out the Security event viewer and saw that event ID 539 occurred once but Event ID 529 has been occurring frequently. (See Attached picture for example).
There are multiple event ID 529 instances logged even today. The wierd thing is that each event logged notes a different username. If you will notice in picture1 where it says "Username: texas." The other event 529's look the same but all have different usernames, and these usernames are not at all anything like any valid username. Other examples of invalid usernames that are appearing are : q1w2e3, radio, pizza, piano (see picture 3)
1. What does this mean?
2. Is someone or some virus is making attempts to access our network?
3. Should I be concerned?
4. How can I track down and eliminate the source of this.
Thanks for your help!!
Audit-Failure1.png
Audit-Failure.png
Audi-Failure-2.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey, Thanks for your quick responses.
Dvast8n, I looked at the thread you posted, I also downloaded the ACTools. Unfortunately I do not know how to use them. Can you explain?
Labsy, I am running OWA and this is a good thought. I will look into this.
Dvast8n, I looked at the thread you posted, I also downloaded the ACTools. Unfortunately I do not know how to use them. Can you explain?
Labsy, I am running OWA and this is a good thought. I will look into this.
ASKER
Is this something I should invest my time into researching? I'm not sure if this is even a legitimate risk or not. I would appreciate your advice and thoughts on this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ADD ON:
After reading my post again, I owe apologee to all people in Tunisia and Nigeria, since I didn't want to be ofensive or discriminatory, but was rather speaking figurative; some known and wide spread scams are even called "Nigerian Spam", so I used such a term, too.
After reading my post again, I owe apologee to all people in Tunisia and Nigeria, since I didn't want to be ofensive or discriminatory, but was rather speaking figurative; some known and wide spread scams are even called "Nigerian Spam", so I used such a term, too.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your responses guys. My plan of action is no action. I do not have time at the moment to pursue what appears to be a minor threat.
I really appreciate the insight both of you have given me!
Thanks!
I really appreciate the insight both of you have given me!
Thanks!
ASKER
Thanks Gentlemen!
If YES, then this might be some "wannabe hackers" to login into your RWW or OWA, because IIS is configured to use NTLM authentication.
Generally, this error means that some service on your SBS (the source station is always your SBS, right?) is trying to authenticate, but question is WHO is providing usernames and passwords to this service.
You may try closing your firewall to disable ports 80 and 443 for a day or two and see, if audit stops. If it stops, you will know that "attacks" are coming from internet.
If not, dig further.
Here is also some readings:
http://www.eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1