?
Solved

Failure Audit - Event ID 529

Posted on 2009-05-12
9
Medium Priority
?
923 Views
Last Modified: 2012-05-06
Hi,

We run SBS2003 and I have been getting emails that read:

Subject Line:  "Account Lockout (Event ID: 539) Alert on SERVER"

I then went to the SBS server to check out the Security event viewer and saw that event ID 539 occurred once but Event ID 529 has been occurring frequently.  (See Attached picture for example).

There are multiple event ID 529 instances logged even today.  The wierd thing is that each event logged notes a different username.  If you will notice in picture1 where it says "Username: texas."  The other event 529's look the same but all have different usernames, and these usernames are not at all anything like any valid username.  Other examples of invalid usernames that are appearing are : q1w2e3, radio, pizza, piano (see picture 3)

1. What does this mean?  
2. Is someone or some virus is making attempts to access our network?  
3. Should I be concerned?  
4. How can I track down and eliminate the source of this.

Thanks for your help!!

Audit-Failure1.png
Audit-Failure.png
Audi-Failure-2.png
0
Comment
Question by:ITPro44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Assisted Solution

by:dvast8n
dvast8n earned 800 total points
ID: 24369545
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24369607
Is your SBS opened to the public internet?
If YES, then this might be some "wannabe hackers" to login into your RWW or OWA, because IIS is configured to use NTLM authentication.
Generally, this error means that some service on your SBS (the source station is always your SBS, right?) is trying to authenticate, but question is WHO is providing usernames and passwords to this service.

You may try closing your firewall to disable ports 80 and 443 for a day or two and see, if audit stops. If it stops, you will know that "attacks" are coming from internet.
If not, dig further.

Here is also some readings:
http://www.eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1
0
 

Author Comment

by:ITPro44
ID: 24370396
Hey, Thanks for your quick responses.

Dvast8n, I looked at the thread you posted, I also downloaded the ACTools.  Unfortunately I do not know how to use them.  Can you explain?

Labsy, I am running OWA and this is a good thought.  I will look into this.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:ITPro44
ID: 24370662
Is this something I should invest my time into researching?  I'm not sure if this is even a legitimate risk or not.  I would appreciate your advice and thoughts on this.
0
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 1200 total points
ID: 24370826
Well...theoretically any attempt to break security rule is to be examined. The only question is who is gonna take care of it - your software or you?
Security measures are in place to do jobs for you and if there are no more than a few attempts to guess the username/password combination and if that's all of hacking there, I beleive you have nothing to worry about.

But on the other hand, just few weeks ago I had security breach in one of healthcare institutions here, 3 servers were sucessfully attacked and hackers got into the system, installing their stuff all around. Fortunatelly, after sucessfully hacking as administrator into my own (locked down) server, and spending whole weekend on it, I managed to put all ends together even before first monday shift.
So, working on preventive measures might save your ass. :)

My suggestion:
- pay attention on frequency of those attempts
- enforce proper password policy on domain users
- inform them of what's going up around, so to alter their attention
- if you look at OWA / IIS logs, you might find related W3SVC log entries and maybe block some "Tunisian" or "Nigerian" IP ranges to get rid of few hackers
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 24370852
ADD ON:
After reading my post again, I owe apologee to all people in Tunisia and Nigeria, since I didn't want to be ofensive or discriminatory, but was rather speaking figurative; some known and wide spread scams are even called "Nigerian Spam", so I used such a term, too.
0
 
LVL 6

Assisted Solution

by:dvast8n
dvast8n earned 800 total points
ID: 24376491
Case,

In response to how to use the tool here's a very good explanation on how to use it.

http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

0
 

Author Comment

by:ITPro44
ID: 24390186
Thanks for your responses guys.  My plan of action is no action.  I do not have time at the moment to pursue what appears to be a minor threat.

I really appreciate the insight both of you have given me!

Thanks!
0
 

Author Closing Comment

by:ITPro44
ID: 31580736
Thanks Gentlemen!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question