?
Solved

Event ID 529 in the Thousands

Posted on 2010-09-09
7
Medium Priority
?
626 Views
Last Modified: 2012-08-13
A few of our clients get between 50-100 event 529s per day in Security Event Log. Lately with two of our clients, we are seeing them in the THOUSANDS, from foreign IP addresses. I usually document the IP as best I can via ip-lookup.net and try to get a region identifier. Many times the IP ranges aren't registered with ARIN. Also, we see these coming from various regions on a day-to-day basis: Sometimes from Germany, Spain, Russia, US, Australia, etc.

Is there a standard best-practice in auditing these events and is there a solution such as changing RDP ports or some such we should look into? Does everyone see these events often, or is this possibly something we've overlooked? Thanks!
0
Comment
Question by:msiers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
7 Comments
 
LVL 2

Expert Comment

by:Hossy
ID: 33638993
When you say "clients," are you referring to people/companies or computers?

In either case, why are you permitting RDP access to internal machines from the Internet directly?  I would setup a Terminal Services Gateway.

Worst case, change the port RDP responds to either locally on each machine of via a NAT/PAT on your firewall (you do have one, right?). :-)
0
 
LVL 2

Expert Comment

by:Hossy
ID: 33639029
Best thing would be to setup a VPN then connect via RDP after connecting to the VPN.

If you setup a TSGateway, put the TSGateway in your DMZ and only allow required traffic to/from it and your internal network and also to/from it and the Internet.
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 33644311
This is brute forcing the login and it would be symptoms of bots (external) esp if it is something of having the event ID is 529 (failed logon attempt) and a type 3 logon attempt, indicating that the attempt is from the network. The logon type probably is the remote login of type 10 in this case.

This would very much call for incident handling but sometimes ping is common and brute force is not common. hopefully there is no successful login. If 2 factor authentication is enforced, this would not be breached easily.

Also I see anomaly detection is one proactive measure to be taken esp in enterprise environment against the insider and external threats. Can check out my answer in and the cheatsheet from SANS

@ http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26376762.html

@ http://www.experts-exchange.com/Security/Vulnerabilities/Q_26429428.html



0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:msiers
ID: 33648130
http://www.ip-adress.com/whois/222.186.23.74

Well another issue we have is that our clients are small businesses. None of our clients are related or have much in common with one-another, and nothing obvious about who our clients are. It's really strange to see this above IP hit two of my clients in the same day. Very strange, rare, and seemingly almost impossible.

[***] = Proprietary information
_________________________
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [client's domain]
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate Workstation
Name: [servername]
Caller User Name: [servername]$
Caller Domain: [client's domain]
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6892
Transited Services: -
Source Network Address: 222.186.23.74
Source Port: 1720

I am new to this aspect of administration, so pardon my lack of knowledge in the best practices on researching this sort of event and preventing it down the road. This IP/entity shouldn't have any ability to identify two of our customers and hit them the same day, it just seems highly improbable.
0
 

Author Comment

by:msiers
ID: 33648388
Oh, and pretty much every client gets these from external IPs, usually the same Logon and Process type and ID.
0
 
LVL 64

Expert Comment

by:btan
ID: 33652207
Looks like it is indeed some brute forcing remote attempts but failed.
Can see this check of IP in robtex
@ http://www.robtex.com/ip/222.186.23.74.html

It is within the past blacklist and I will suggest that the ip be blackholed at your firewall or network defence devices. Keep all machine up to latest patch too.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question