Many occurrences of event 529 in Windows Server 2003 SBS event log
Greetings gurus.
Needing guidance to know how to address an ongoing issue on our server. We routinely see the event log bombarded with Security Event 529. I have searched and found similar situations but do not understand how to address it. Below are some details on our server to help you with pointing me in the right direction.
Server Info:
- Windows 2003 SBS, SP2
- Firewall = Watchguard Firebox X-20eW
- Exchange 2003 Server enabled with access to Outlook Web Access
- Process 2132 = inetinfo.exe
Event Log Capture:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 4/24/2011
Time: 4:49:23 PM
User: NT AUTHORITY\SYSTEM
Computer: xx-xxxxxxx1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: mail
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: xx-xxxxxxx1
Caller User Name: xx-xxxxxxx$
Caller Domain: xxxxxxxxxx
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2132
Transited Services: -
Source Network Address: -
Source Port: -
Apologies if this is yet another duplicate posting and thanks for helping point me toward a post that will help me correct the issue.
Needing guidance to know how to address an ongoing issue on our server. We routinely see the event log bombarded with Security Event 529. I have searched and found similar situations but do not understand how to address it. Below are some details on our server to help you with pointing me in the right direction.
Server Info:
- Windows 2003 SBS, SP2
- Firewall = Watchguard Firebox X-20eW
- Exchange 2003 Server enabled with access to Outlook Web Access
- Process 2132 = inetinfo.exe
Event Log Capture:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 4/24/2011
Time: 4:49:23 PM
User: NT AUTHORITY\SYSTEM
Computer: xx-xxxxxxx1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: mail
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: xx-xxxxxxx1
Caller User Name: xx-xxxxxxx$
Caller Domain: xxxxxxxxxx
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2132
Transited Services: -
Source Network Address: -
Source Port: -
Apologies if this is yet another duplicate posting and thanks for helping point me toward a post that will help me correct the issue.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you!
Which port is being attacked? 80 and/or 443?
Two-factor authentication - where would you recommend that I find more about it?
The firewall we have does not appear to require authentication other than through it's VPN. Does that sound correct? Access through the VPN is prohibitively slow and has not been used much for such reasons.
Minimizing the issue and preventing a compromise is what I'm after. Sounds like you guys are putting me on the right path.
Thanks for any more information you can provide.
Which port is being attacked? 80 and/or 443?
Two-factor authentication - where would you recommend that I find more about it?
The firewall we have does not appear to require authentication other than through it's VPN. Does that sound correct? Access through the VPN is prohibitively slow and has not been used much for such reasons.
Minimizing the issue and preventing a compromise is what I'm after. Sounds like you guys are putting me on the right path.
Thanks for any more information you can provide.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for clarifying cliff.
last question for you would be, in your opinion, what is the exposure of doing nothing? if we have strong passwords and leave the setup as-is, is this just an annoyance?
since i don't have pricing, would have to understand that first to know if it can fit into the budget. as to implementation, i'll be looking for the easiest implementation both for support and for the users.
thanks again. you've been very helpful.
last question for you would be, in your opinion, what is the exposure of doing nothing? if we have strong passwords and leave the setup as-is, is this just an annoyance?
since i don't have pricing, would have to understand that first to know if it can fit into the budget. as to implementation, i'll be looking for the easiest implementation both for support and for the users.
thanks again. you've been very helpful.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER
This error occurred 2390 times in the log and the id is changing each time. Thus, someone is attempting to, in my opinion, break into the system. Wish there were laws against this!
Thoughts on what port they would be using for this and how to stop them after a few attempts?
Thanks for the quick help. Really appreciated!