Many occurrences of event 529 in Windows Server 2003 SBS event log

Posted on 2011-04-25
Medium Priority
Last Modified: 2012-05-11
Greetings gurus.

Needing guidance to know how to address an ongoing issue on our server.  We routinely see the event log bombarded with Security Event 529.  I have searched and found similar situations but do not understand how to address it.  Below are some details on our server to help you with pointing me in the right direction.

Server Info:
- Windows 2003 SBS, SP2
- Firewall = Watchguard Firebox X-20eW
- Exchange 2003 Server enabled with access to Outlook Web Access
- Process 2132 = inetinfo.exe

Event Log Capture:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            4/24/2011
Time:            4:49:23 PM
User:            NT AUTHORITY\SYSTEM
Computer:      xx-xxxxxxx1
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      mail
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      xx-xxxxxxx1
       Caller User Name:      xx-xxxxxxx$
       Caller Domain:      xxxxxxxxxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2132
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Apologies if this is yet another duplicate posting and thanks for helping point me toward a post that will help me correct the issue.

Question by:atroutcatcher
LVL 11

Assisted Solution

g000se earned 664 total points
ID: 35460706

Author Comment

ID: 35461095
Thanks.  Took a quick tour and that article seems related to an internal issue -- someone changing a password and forgetting it or a variation like it.

This error occurred 2390 times in the log and the id is changing each time.  Thus, someone is attempting to, in my opinion, break into the system.  Wish there were laws against this!

Thoughts on what port they would be using for this and how to stop them after a few attempts?

Thanks for the quick help.  Really appreciated!
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1336 total points
ID: 35463110
This is expected on any server that has services accessible from the internet. Someone is throwing usernames and passwords against your OWA server. Short of disallowing OWA, there is not much you can do about preventing such attempts. You *can* implement two-factor authentication so that guessing a password alone won't be enough to access OWA. You could also implement an advanced firewall at your network edge that blocks an IP after a few failed logon attempts. Both will lessen the number of failures you are seeing, but as I said, as long as your server has a service available on the net, hackers/botnets/etc will attempt to access it.

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 35464350
Thank you!

Which port is being attacked?  80 and/or 443?

Two-factor authentication - where would you recommend that I find more about it?

The firewall we have does not appear to require authentication other than through it's VPN.  Does that sound correct?  Access through the VPN is prohibitively slow and has not been used much for such reasons.

Minimizing the issue and preventing a compromise is what I'm after.  Sounds like you guys are putting me on the right path.

Thanks for any more information you can provide.
LVL 60

Accepted Solution

Cliff Galiher earned 1336 total points
ID: 35464724
when you ask "what port is being attacked" I want to be clear, a port isn't being attacked, a service is. With that said, the default configuration for SBS services that require authentication are to only run on 443, so the attack is coming in over that port unless defaults have been changed. But the actual attack could be OWA, Activesync, RWW, or another service running on IIS.

There are many two-factor authentication methods out there. A popular one for SBS is made by Scorpionsoft, but a google search will turn up several options for you. I don't know enough about your budget, network, or skill level to make a definitive recommendation.


Author Comment

ID: 35467858
thanks for clarifying cliff.

last question for you would be, in your opinion, what is the exposure of doing nothing?  if we have strong passwords and leave the setup as-is, is this just an annoyance?

since i don't have pricing, would have to understand that first to know if it can fit into the budget.  as to implementation, i'll be looking for the easiest implementation both for support and for the users.

thanks again.  you've been very helpful.
LVL 27

Expert Comment

ID: 36902087
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question