Many occurrences of event 529 in Windows Server 2003 SBS event log

Posted on 2011-04-25
Last Modified: 2012-05-11
Greetings gurus.

Needing guidance to know how to address an ongoing issue on our server.  We routinely see the event log bombarded with Security Event 529.  I have searched and found similar situations but do not understand how to address it.  Below are some details on our server to help you with pointing me in the right direction.

Server Info:
- Windows 2003 SBS, SP2
- Firewall = Watchguard Firebox X-20eW
- Exchange 2003 Server enabled with access to Outlook Web Access
- Process 2132 = inetinfo.exe

Event Log Capture:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            4/24/2011
Time:            4:49:23 PM
User:            NT AUTHORITY\SYSTEM
Computer:      xx-xxxxxxx1
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      mail
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      xx-xxxxxxx1
       Caller User Name:      xx-xxxxxxx$
       Caller Domain:      xxxxxxxxxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2132
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Apologies if this is yet another duplicate posting and thanks for helping point me toward a post that will help me correct the issue.

Question by:atroutcatcher
    LVL 11

    Assisted Solution

    LVL 1

    Author Comment

    Thanks.  Took a quick tour and that article seems related to an internal issue -- someone changing a password and forgetting it or a variation like it.

    This error occurred 2390 times in the log and the id is changing each time.  Thus, someone is attempting to, in my opinion, break into the system.  Wish there were laws against this!

    Thoughts on what port they would be using for this and how to stop them after a few attempts?

    Thanks for the quick help.  Really appreciated!
    LVL 56

    Assisted Solution

    by:Cliff Galiher
    This is expected on any server that has services accessible from the internet. Someone is throwing usernames and passwords against your OWA server. Short of disallowing OWA, there is not much you can do about preventing such attempts. You *can* implement two-factor authentication so that guessing a password alone won't be enough to access OWA. You could also implement an advanced firewall at your network edge that blocks an IP after a few failed logon attempts. Both will lessen the number of failures you are seeing, but as I said, as long as your server has a service available on the net, hackers/botnets/etc will attempt to access it.

    LVL 1

    Author Comment

    Thank you!

    Which port is being attacked?  80 and/or 443?

    Two-factor authentication - where would you recommend that I find more about it?

    The firewall we have does not appear to require authentication other than through it's VPN.  Does that sound correct?  Access through the VPN is prohibitively slow and has not been used much for such reasons.

    Minimizing the issue and preventing a compromise is what I'm after.  Sounds like you guys are putting me on the right path.

    Thanks for any more information you can provide.
    LVL 56

    Accepted Solution

    when you ask "what port is being attacked" I want to be clear, a port isn't being attacked, a service is. With that said, the default configuration for SBS services that require authentication are to only run on 443, so the attack is coming in over that port unless defaults have been changed. But the actual attack could be OWA, Activesync, RWW, or another service running on IIS.

    There are many two-factor authentication methods out there. A popular one for SBS is made by Scorpionsoft, but a google search will turn up several options for you. I don't know enough about your budget, network, or skill level to make a definitive recommendation.

    LVL 1

    Author Comment

    thanks for clarifying cliff.

    last question for you would be, in your opinion, what is the exposure of doing nothing?  if we have strong passwords and leave the setup as-is, is this just an annoyance?

    since i don't have pricing, would have to understand that first to know if it can fit into the budget.  as to implementation, i'll be looking for the easiest implementation both for support and for the users.

    thanks again.  you've been very helpful.
    LVL 27

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now