Solved

Failure Audit - Event ID 529

Posted on 2009-05-12
9
911 Views
Last Modified: 2012-05-06
Hi,

We run SBS2003 and I have been getting emails that read:

Subject Line:  "Account Lockout (Event ID: 539) Alert on SERVER"

I then went to the SBS server to check out the Security event viewer and saw that event ID 539 occurred once but Event ID 529 has been occurring frequently.  (See Attached picture for example).

There are multiple event ID 529 instances logged even today.  The wierd thing is that each event logged notes a different username.  If you will notice in picture1 where it says "Username: texas."  The other event 529's look the same but all have different usernames, and these usernames are not at all anything like any valid username.  Other examples of invalid usernames that are appearing are : q1w2e3, radio, pizza, piano (see picture 3)

1. What does this mean?  
2. Is someone or some virus is making attempts to access our network?  
3. Should I be concerned?  
4. How can I track down and eliminate the source of this.

Thanks for your help!!

Audit-Failure1.png
Audit-Failure.png
Audi-Failure-2.png
0
Comment
Question by:ITPro44
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Assisted Solution

by:dvast8n
dvast8n earned 200 total points
ID: 24369545
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24369607
Is your SBS opened to the public internet?
If YES, then this might be some "wannabe hackers" to login into your RWW or OWA, because IIS is configured to use NTLM authentication.
Generally, this error means that some service on your SBS (the source station is always your SBS, right?) is trying to authenticate, but question is WHO is providing usernames and passwords to this service.

You may try closing your firewall to disable ports 80 and 443 for a day or two and see, if audit stops. If it stops, you will know that "attacks" are coming from internet.
If not, dig further.

Here is also some readings:
http://www.eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1
0
 

Author Comment

by:ITPro44
ID: 24370396
Hey, Thanks for your quick responses.

Dvast8n, I looked at the thread you posted, I also downloaded the ACTools.  Unfortunately I do not know how to use them.  Can you explain?

Labsy, I am running OWA and this is a good thought.  I will look into this.
0
 

Author Comment

by:ITPro44
ID: 24370662
Is this something I should invest my time into researching?  I'm not sure if this is even a legitimate risk or not.  I would appreciate your advice and thoughts on this.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 300 total points
ID: 24370826
Well...theoretically any attempt to break security rule is to be examined. The only question is who is gonna take care of it - your software or you?
Security measures are in place to do jobs for you and if there are no more than a few attempts to guess the username/password combination and if that's all of hacking there, I beleive you have nothing to worry about.

But on the other hand, just few weeks ago I had security breach in one of healthcare institutions here, 3 servers were sucessfully attacked and hackers got into the system, installing their stuff all around. Fortunatelly, after sucessfully hacking as administrator into my own (locked down) server, and spending whole weekend on it, I managed to put all ends together even before first monday shift.
So, working on preventive measures might save your ass. :)

My suggestion:
- pay attention on frequency of those attempts
- enforce proper password policy on domain users
- inform them of what's going up around, so to alter their attention
- if you look at OWA / IIS logs, you might find related W3SVC log entries and maybe block some "Tunisian" or "Nigerian" IP ranges to get rid of few hackers
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24370852
ADD ON:
After reading my post again, I owe apologee to all people in Tunisia and Nigeria, since I didn't want to be ofensive or discriminatory, but was rather speaking figurative; some known and wide spread scams are even called "Nigerian Spam", so I used such a term, too.
0
 
LVL 6

Assisted Solution

by:dvast8n
dvast8n earned 200 total points
ID: 24376491
Case,

In response to how to use the tool here's a very good explanation on how to use it.

http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

0
 

Author Comment

by:ITPro44
ID: 24390186
Thanks for your responses guys.  My plan of action is no action.  I do not have time at the moment to pursue what appears to be a minor threat.

I really appreciate the insight both of you have given me!

Thanks!
0
 

Author Closing Comment

by:ITPro44
ID: 31580736
Thanks Gentlemen!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now