Security Event ID 529 & 539

I have multiple Event ID 529 every day. The user names vary and are usually legitimate network users who access the server via VPN or use OWA or Outlook Anywhere.

This one however is a users who does not exist (1234) apparently accessing from workstation SBS1 (the server).
Does anyone know what is going on?

[Source] Security      
[Event ID] 529      
[Date/Time] 4/25/2010 7:38 AM      
[Total Occurrences] 774 *

Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      1234
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS1
       Caller User Name:      SBS1$
       Caller Domain:      OURDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2948
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

We have also had the following Lockout from a user name that does exist (Info), but at an unusaul time!
Again any I would be grateful for any advice:

[Source] Security 539      
[Date] 4/25/2010 6:22 AM      
[Total Occrrences] 137 *

Logon Failure:
       Reason:      Account locked out
       User Name:      info
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS1
       Caller User Name:      SBS1$
       Caller Domain:      KIERNAN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 2948
       Transited Services: -
       Source Network Address:      -
       Source Port:      -


Thanks for your time.
NELMOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cris HannaCommented:
What do you have for a firewall solution?   Do you have strong passwords in place?
These are definitely hacking attempts..everyone gets them.
0
dmessmanCommented:
agreed - I wrote about this here when I first saw them in my logs:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_25093966.html?sfQueryTermInfo=1+529+brute

Since then, I have seen each of my SBS boxes be attacked like this.  If they are guessing invalid usernames, there's nothing you can do about them.  I use a product called EventSentry (which I think is excellent) that sends me all errors in the event logs by email.  So I see these 529 errors as they happen.  

Personally, I log into the firewall if I have time and then I disable the ports one by one until I find the one they are attacking through.  Then I wait 15 minutes and then I re-enable it.  Sometimes, it's port 25, sometimes it's 443.  Sometimes, it's 1723.  There is no good answer here.  They are hard to track down and I get the sense that most people just consider this the nature of the beast of having an SBS box on the internet.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NELMOAuthor Commented:
As you say dmessman, this will be something I will have to put up with.
Although it has had the added effect of convincing the powers that be that our password policy be tightened.
Isn't it amazing that you need possible disasters before decisions are made!!

Thanks for your time
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.