Failure Audit - Event ID 529

Posted on 2009-05-12
Last Modified: 2012-05-06

We run SBS2003 and I have been getting emails that read:

Subject Line:  "Account Lockout (Event ID: 539) Alert on SERVER"

I then went to the SBS server to check out the Security event viewer and saw that event ID 539 occurred once but Event ID 529 has been occurring frequently.  (See Attached picture for example).

There are multiple event ID 529 instances logged even today.  The wierd thing is that each event logged notes a different username.  If you will notice in picture1 where it says "Username: texas."  The other event 529's look the same but all have different usernames, and these usernames are not at all anything like any valid username.  Other examples of invalid usernames that are appearing are : q1w2e3, radio, pizza, piano (see picture 3)

1. What does this mean?  
2. Is someone or some virus is making attempts to access our network?  
3. Should I be concerned?  
4. How can I track down and eliminate the source of this.

Thanks for your help!!

Question by:ITPro44
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Assisted Solution

dvast8n earned 200 total points
ID: 24369545
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24369607
Is your SBS opened to the public internet?
If YES, then this might be some "wannabe hackers" to login into your RWW or OWA, because IIS is configured to use NTLM authentication.
Generally, this error means that some service on your SBS (the source station is always your SBS, right?) is trying to authenticate, but question is WHO is providing usernames and passwords to this service.

You may try closing your firewall to disable ports 80 and 443 for a day or two and see, if audit stops. If it stops, you will know that "attacks" are coming from internet.
If not, dig further.

Here is also some readings:

Author Comment

ID: 24370396
Hey, Thanks for your quick responses.

Dvast8n, I looked at the thread you posted, I also downloaded the ACTools.  Unfortunately I do not know how to use them.  Can you explain?

Labsy, I am running OWA and this is a good thought.  I will look into this.
Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!


Author Comment

ID: 24370662
Is this something I should invest my time into researching?  I'm not sure if this is even a legitimate risk or not.  I would appreciate your advice and thoughts on this.
LVL 18

Accepted Solution

Andrej Pirman earned 300 total points
ID: 24370826
Well...theoretically any attempt to break security rule is to be examined. The only question is who is gonna take care of it - your software or you?
Security measures are in place to do jobs for you and if there are no more than a few attempts to guess the username/password combination and if that's all of hacking there, I beleive you have nothing to worry about.

But on the other hand, just few weeks ago I had security breach in one of healthcare institutions here, 3 servers were sucessfully attacked and hackers got into the system, installing their stuff all around. Fortunatelly, after sucessfully hacking as administrator into my own (locked down) server, and spending whole weekend on it, I managed to put all ends together even before first monday shift.
So, working on preventive measures might save your ass. :)

My suggestion:
- pay attention on frequency of those attempts
- enforce proper password policy on domain users
- inform them of what's going up around, so to alter their attention
- if you look at OWA / IIS logs, you might find related W3SVC log entries and maybe block some "Tunisian" or "Nigerian" IP ranges to get rid of few hackers
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24370852
After reading my post again, I owe apologee to all people in Tunisia and Nigeria, since I didn't want to be ofensive or discriminatory, but was rather speaking figurative; some known and wide spread scams are even called "Nigerian Spam", so I used such a term, too.

Assisted Solution

dvast8n earned 200 total points
ID: 24376491

In response to how to use the tool here's a very good explanation on how to use it.


Author Comment

ID: 24390186
Thanks for your responses guys.  My plan of action is no action.  I do not have time at the moment to pursue what appears to be a minor threat.

I really appreciate the insight both of you have given me!


Author Closing Comment

ID: 31580736
Thanks Gentlemen!

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question