IIS Security - Event ID 531
Posted on 2011-04-27
I have one SBS 2003 that is being hit heavily with below:
Reason: Unknown user name or password
User Name: <random>
Logon Type: 3
Logon Process: advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <SERVER>
Caller User Name: <SERVER$>
Caller Domain: <DOMAIN>
Caller Logon ID: (0x0,0x37)
Caller Process ID: 1664
The process that is referenced is inetinfo.exe.
I have searched forums and the only answer I see is that this is all a part of having an internet address. I have my network behind a router/firewall device with various ports forwarded through for SMTP-25, RDP-13389, RWW-443. I do not see the same issue on any other server I have on other networks, so I want to investigate further and perhaps attempt to block these attempts.
We do have a strong password policy internally, but seeing 5000+ attempts within a 24h period seems a bit much.