We help IT Professionals succeed at work.

Many occurrences of event 529 in Windows Server 2003 SBS event log

1,017 Views
Last Modified: 2012-05-11
Greetings gurus.

Needing guidance to know how to address an ongoing issue on our server.  We routinely see the event log bombarded with Security Event 529.  I have searched and found similar situations but do not understand how to address it.  Below are some details on our server to help you with pointing me in the right direction.

Server Info:
- Windows 2003 SBS, SP2
- Firewall = Watchguard Firebox X-20eW
- Exchange 2003 Server enabled with access to Outlook Web Access
- Process 2132 = inetinfo.exe

Event Log Capture:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            4/24/2011
Time:            4:49:23 PM
User:            NT AUTHORITY\SYSTEM
Computer:      xx-xxxxxxx1
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      mail
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      xx-xxxxxxx1
       Caller User Name:      xx-xxxxxxx$
       Caller Domain:      xxxxxxxxxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2132
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

Apologies if this is yet another duplicate posting and thanks for helping point me toward a post that will help me correct the issue.


Comment
Watch Question

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks.  Took a quick tour and that article seems related to an internal issue -- someone changing a password and forgetting it or a variation like it.

This error occurred 2390 times in the log and the id is changing each time.  Thus, someone is attempting to, in my opinion, break into the system.  Wish there were laws against this!

Thoughts on what port they would be using for this and how to stop them after a few attempts?

Thanks for the quick help.  Really appreciated!
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you!

Which port is being attacked?  80 and/or 443?

Two-factor authentication - where would you recommend that I find more about it?

The firewall we have does not appear to require authentication other than through it's VPN.  Does that sound correct?  Access through the VPN is prohibitively slow and has not been used much for such reasons.

Minimizing the issue and preventing a compromise is what I'm after.  Sounds like you guys are putting me on the right path.

Thanks for any more information you can provide.
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
thanks for clarifying cliff.

last question for you would be, in your opinion, what is the exposure of doing nothing?  if we have strong passwords and leave the setup as-is, is this just an annoyance?

since i don't have pricing, would have to understand that first to know if it can fit into the budget.  as to implementation, i'll be looking for the easiest implementation both for support and for the users.

thanks again.  you've been very helpful.
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.