Solved

Event ID 529 in the Thousands

Posted on 2010-09-09
7
612 Views
Last Modified: 2012-08-13
A few of our clients get between 50-100 event 529s per day in Security Event Log. Lately with two of our clients, we are seeing them in the THOUSANDS, from foreign IP addresses. I usually document the IP as best I can via ip-lookup.net and try to get a region identifier. Many times the IP ranges aren't registered with ARIN. Also, we see these coming from various regions on a day-to-day basis: Sometimes from Germany, Spain, Russia, US, Australia, etc.

Is there a standard best-practice in auditing these events and is there a solution such as changing RDP ports or some such we should look into? Does everyone see these events often, or is this possibly something we've overlooked? Thanks!
0
Comment
Question by:msiers
  • 2
  • 2
  • 2
7 Comments
 
LVL 2

Expert Comment

by:Hossy
ID: 33638993
When you say "clients," are you referring to people/companies or computers?

In either case, why are you permitting RDP access to internal machines from the Internet directly?  I would setup a Terminal Services Gateway.

Worst case, change the port RDP responds to either locally on each machine of via a NAT/PAT on your firewall (you do have one, right?). :-)
0
 
LVL 2

Expert Comment

by:Hossy
ID: 33639029
Best thing would be to setup a VPN then connect via RDP after connecting to the VPN.

If you setup a TSGateway, put the TSGateway in your DMZ and only allow required traffic to/from it and your internal network and also to/from it and the Internet.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 33644311
This is brute forcing the login and it would be symptoms of bots (external) esp if it is something of having the event ID is 529 (failed logon attempt) and a type 3 logon attempt, indicating that the attempt is from the network. The logon type probably is the remote login of type 10 in this case.

This would very much call for incident handling but sometimes ping is common and brute force is not common. hopefully there is no successful login. If 2 factor authentication is enforced, this would not be breached easily.

Also I see anomaly detection is one proactive measure to be taken esp in enterprise environment against the insider and external threats. Can check out my answer in and the cheatsheet from SANS

@ http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26376762.html

@ http://www.experts-exchange.com/Security/Vulnerabilities/Q_26429428.html



0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 

Author Comment

by:msiers
ID: 33648130
http://www.ip-adress.com/whois/222.186.23.74

Well another issue we have is that our clients are small businesses. None of our clients are related or have much in common with one-another, and nothing obvious about who our clients are. It's really strange to see this above IP hit two of my clients in the same day. Very strange, rare, and seemingly almost impossible.

[***] = Proprietary information
_________________________
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [client's domain]
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate Workstation
Name: [servername]
Caller User Name: [servername]$
Caller Domain: [client's domain]
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6892
Transited Services: -
Source Network Address: 222.186.23.74
Source Port: 1720

I am new to this aspect of administration, so pardon my lack of knowledge in the best practices on researching this sort of event and preventing it down the road. This IP/entity shouldn't have any ability to identify two of our customers and hit them the same day, it just seems highly improbable.
0
 

Author Comment

by:msiers
ID: 33648388
Oh, and pretty much every client gets these from external IPs, usually the same Logon and Process type and ID.
0
 
LVL 62

Expert Comment

by:btan
ID: 33652207
Looks like it is indeed some brute forcing remote attempts but failed.
Can see this check of IP in robtex
@ http://www.robtex.com/ip/222.186.23.74.html

It is within the past blacklist and I will suggest that the ip be blackholed at your firewall or network defence devices. Keep all machine up to latest patch too.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now