[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Failure Audit - Event ID 529

Posted on 2009-05-12
Medium Priority
Last Modified: 2012-05-06

We run SBS2003 and I have been getting emails that read:

Subject Line:  "Account Lockout (Event ID: 539) Alert on SERVER"

I then went to the SBS server to check out the Security event viewer and saw that event ID 539 occurred once but Event ID 529 has been occurring frequently.  (See Attached picture for example).

There are multiple event ID 529 instances logged even today.  The wierd thing is that each event logged notes a different username.  If you will notice in picture1 where it says "Username: texas."  The other event 529's look the same but all have different usernames, and these usernames are not at all anything like any valid username.  Other examples of invalid usernames that are appearing are : q1w2e3, radio, pizza, piano (see picture 3)

1. What does this mean?  
2. Is someone or some virus is making attempts to access our network?  
3. Should I be concerned?  
4. How can I track down and eliminate the source of this.

Thanks for your help!!

Question by:ITPro44
  • 4
  • 3
  • 2

Assisted Solution

dvast8n earned 800 total points
ID: 24369545
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24369607
Is your SBS opened to the public internet?
If YES, then this might be some "wannabe hackers" to login into your RWW or OWA, because IIS is configured to use NTLM authentication.
Generally, this error means that some service on your SBS (the source station is always your SBS, right?) is trying to authenticate, but question is WHO is providing usernames and passwords to this service.

You may try closing your firewall to disable ports 80 and 443 for a day or two and see, if audit stops. If it stops, you will know that "attacks" are coming from internet.
If not, dig further.

Here is also some readings:

Author Comment

ID: 24370396
Hey, Thanks for your quick responses.

Dvast8n, I looked at the thread you posted, I also downloaded the ACTools.  Unfortunately I do not know how to use them.  Can you explain?

Labsy, I am running OWA and this is a good thought.  I will look into this.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 24370662
Is this something I should invest my time into researching?  I'm not sure if this is even a legitimate risk or not.  I would appreciate your advice and thoughts on this.
LVL 18

Accepted Solution

Andrej Pirman earned 1200 total points
ID: 24370826
Well...theoretically any attempt to break security rule is to be examined. The only question is who is gonna take care of it - your software or you?
Security measures are in place to do jobs for you and if there are no more than a few attempts to guess the username/password combination and if that's all of hacking there, I beleive you have nothing to worry about.

But on the other hand, just few weeks ago I had security breach in one of healthcare institutions here, 3 servers were sucessfully attacked and hackers got into the system, installing their stuff all around. Fortunatelly, after sucessfully hacking as administrator into my own (locked down) server, and spending whole weekend on it, I managed to put all ends together even before first monday shift.
So, working on preventive measures might save your ass. :)

My suggestion:
- pay attention on frequency of those attempts
- enforce proper password policy on domain users
- inform them of what's going up around, so to alter their attention
- if you look at OWA / IIS logs, you might find related W3SVC log entries and maybe block some "Tunisian" or "Nigerian" IP ranges to get rid of few hackers
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24370852
After reading my post again, I owe apologee to all people in Tunisia and Nigeria, since I didn't want to be ofensive or discriminatory, but was rather speaking figurative; some known and wide spread scams are even called "Nigerian Spam", so I used such a term, too.

Assisted Solution

dvast8n earned 800 total points
ID: 24376491

In response to how to use the tool here's a very good explanation on how to use it.



Author Comment

ID: 24390186
Thanks for your responses guys.  My plan of action is no action.  I do not have time at the moment to pursue what appears to be a minor threat.

I really appreciate the insight both of you have given me!


Author Closing Comment

ID: 31580736
Thanks Gentlemen!

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Screencast - Getting to Know the Pipeline

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question