Failure Audit - Event ID 529

Posted on 2009-05-12
Last Modified: 2012-05-06

We run SBS2003 and I have been getting emails that read:

Subject Line:  "Account Lockout (Event ID: 539) Alert on SERVER"

I then went to the SBS server to check out the Security event viewer and saw that event ID 539 occurred once but Event ID 529 has been occurring frequently.  (See Attached picture for example).

There are multiple event ID 529 instances logged even today.  The wierd thing is that each event logged notes a different username.  If you will notice in picture1 where it says "Username: texas."  The other event 529's look the same but all have different usernames, and these usernames are not at all anything like any valid username.  Other examples of invalid usernames that are appearing are : q1w2e3, radio, pizza, piano (see picture 3)

1. What does this mean?  
2. Is someone or some virus is making attempts to access our network?  
3. Should I be concerned?  
4. How can I track down and eliminate the source of this.

Thanks for your help!!

Question by:ITPro44
  • 4
  • 3
  • 2

Assisted Solution

dvast8n earned 200 total points
ID: 24369545
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24369607
Is your SBS opened to the public internet?
If YES, then this might be some "wannabe hackers" to login into your RWW or OWA, because IIS is configured to use NTLM authentication.
Generally, this error means that some service on your SBS (the source station is always your SBS, right?) is trying to authenticate, but question is WHO is providing usernames and passwords to this service.

You may try closing your firewall to disable ports 80 and 443 for a day or two and see, if audit stops. If it stops, you will know that "attacks" are coming from internet.
If not, dig further.

Here is also some readings:

Author Comment

ID: 24370396
Hey, Thanks for your quick responses.

Dvast8n, I looked at the thread you posted, I also downloaded the ACTools.  Unfortunately I do not know how to use them.  Can you explain?

Labsy, I am running OWA and this is a good thought.  I will look into this.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 24370662
Is this something I should invest my time into researching?  I'm not sure if this is even a legitimate risk or not.  I would appreciate your advice and thoughts on this.
LVL 18

Accepted Solution

Andrej Pirman earned 300 total points
ID: 24370826
Well...theoretically any attempt to break security rule is to be examined. The only question is who is gonna take care of it - your software or you?
Security measures are in place to do jobs for you and if there are no more than a few attempts to guess the username/password combination and if that's all of hacking there, I beleive you have nothing to worry about.

But on the other hand, just few weeks ago I had security breach in one of healthcare institutions here, 3 servers were sucessfully attacked and hackers got into the system, installing their stuff all around. Fortunatelly, after sucessfully hacking as administrator into my own (locked down) server, and spending whole weekend on it, I managed to put all ends together even before first monday shift.
So, working on preventive measures might save your ass. :)

My suggestion:
- pay attention on frequency of those attempts
- enforce proper password policy on domain users
- inform them of what's going up around, so to alter their attention
- if you look at OWA / IIS logs, you might find related W3SVC log entries and maybe block some "Tunisian" or "Nigerian" IP ranges to get rid of few hackers
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24370852
After reading my post again, I owe apologee to all people in Tunisia and Nigeria, since I didn't want to be ofensive or discriminatory, but was rather speaking figurative; some known and wide spread scams are even called "Nigerian Spam", so I used such a term, too.

Assisted Solution

dvast8n earned 200 total points
ID: 24376491

In response to how to use the tool here's a very good explanation on how to use it.


Author Comment

ID: 24390186
Thanks for your responses guys.  My plan of action is no action.  I do not have time at the moment to pursue what appears to be a minor threat.

I really appreciate the insight both of you have given me!


Author Closing Comment

ID: 31580736
Thanks Gentlemen!

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Available cert SBS2008 for L2TP /IPSec 4 63
Group Policies not being applied 12 75
Set time on server to sync with the internet clock 22 90
Cannot take ownership of a folder 8 46
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question