Solved

Event ID 529 in the Thousands

Posted on 2010-09-09
7
609 Views
Last Modified: 2012-08-13
A few of our clients get between 50-100 event 529s per day in Security Event Log. Lately with two of our clients, we are seeing them in the THOUSANDS, from foreign IP addresses. I usually document the IP as best I can via ip-lookup.net and try to get a region identifier. Many times the IP ranges aren't registered with ARIN. Also, we see these coming from various regions on a day-to-day basis: Sometimes from Germany, Spain, Russia, US, Australia, etc.

Is there a standard best-practice in auditing these events and is there a solution such as changing RDP ports or some such we should look into? Does everyone see these events often, or is this possibly something we've overlooked? Thanks!
0
Comment
Question by:msiers
  • 2
  • 2
  • 2
7 Comments
 
LVL 2

Expert Comment

by:Hossy
ID: 33638993
When you say "clients," are you referring to people/companies or computers?

In either case, why are you permitting RDP access to internal machines from the Internet directly?  I would setup a Terminal Services Gateway.

Worst case, change the port RDP responds to either locally on each machine of via a NAT/PAT on your firewall (you do have one, right?). :-)
0
 
LVL 2

Expert Comment

by:Hossy
ID: 33639029
Best thing would be to setup a VPN then connect via RDP after connecting to the VPN.

If you setup a TSGateway, put the TSGateway in your DMZ and only allow required traffic to/from it and your internal network and also to/from it and the Internet.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 33644311
This is brute forcing the login and it would be symptoms of bots (external) esp if it is something of having the event ID is 529 (failed logon attempt) and a type 3 logon attempt, indicating that the attempt is from the network. The logon type probably is the remote login of type 10 in this case.

This would very much call for incident handling but sometimes ping is common and brute force is not common. hopefully there is no successful login. If 2 factor authentication is enforced, this would not be breached easily.

Also I see anomaly detection is one proactive measure to be taken esp in enterprise environment against the insider and external threats. Can check out my answer in and the cheatsheet from SANS

@ http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26376762.html

@ http://www.experts-exchange.com/Security/Vulnerabilities/Q_26429428.html



0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:msiers
ID: 33648130
http://www.ip-adress.com/whois/222.186.23.74

Well another issue we have is that our clients are small businesses. None of our clients are related or have much in common with one-another, and nothing obvious about who our clients are. It's really strange to see this above IP hit two of my clients in the same day. Very strange, rare, and seemingly almost impossible.

[***] = Proprietary information
_________________________
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [client's domain]
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate Workstation
Name: [servername]
Caller User Name: [servername]$
Caller Domain: [client's domain]
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6892
Transited Services: -
Source Network Address: 222.186.23.74
Source Port: 1720

I am new to this aspect of administration, so pardon my lack of knowledge in the best practices on researching this sort of event and preventing it down the road. This IP/entity shouldn't have any ability to identify two of our customers and hit them the same day, it just seems highly improbable.
0
 

Author Comment

by:msiers
ID: 33648388
Oh, and pretty much every client gets these from external IPs, usually the same Logon and Process type and ID.
0
 
LVL 61

Expert Comment

by:btan
ID: 33652207
Looks like it is indeed some brute forcing remote attempts but failed.
Can see this check of IP in robtex
@ http://www.robtex.com/ip/222.186.23.74.html

It is within the past blacklist and I will suggest that the ip be blackholed at your firewall or network defence devices. Keep all machine up to latest patch too.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now