• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 910
  • Last Modified:

IIS Security - Event ID 531

I have one SBS 2003 that is being hit heavily with below:

Reason: Unknown user name or password
User Name: <random>
Logon Type: 3
Logon Process: advapi
Workstation Name: <SERVER>
Caller User Name: <SERVER$>
Caller Domain: <DOMAIN>
Caller Logon ID: (0x0,0x37)
Caller Process ID: 1664

The process that is referenced is inetinfo.exe.

I have searched forums and the only answer I see is that this is all a part of having an internet address. I have my network behind a router/firewall device with various ports forwarded through for SMTP-25, RDP-13389, RWW-443. I do not see the same issue on any other server I have on other networks, so I want to investigate further and perhaps attempt to block these attempts.

We do have a strong password policy internally, but seeing 5000+ attempts within a 24h period seems a bit much.
  • 3
  • 3
1 Solution
Shreedhar EtteCommented:
FlippAuthor Commented:
Correction: Event ID 529.

I have seen this previously answered question, but does not look to present a way to lockdown further or troubleshoot beyond.
Shreedhar EtteCommented:
Please post the event id 529 description.
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

FlippAuthor Commented:
Reason:      Unknown user name or bad password
User Name:      111111
Logon Type:      3
Logon Process:      Advapi
Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:      SERVER01
Caller User Name:      SERVER01$
Caller Domain:      DOMAINNAME
Caller Logon ID:      (0x0,0x3E7)
Caller Process ID:      1664
Transited Services:      -
Source Network Address:      -
Source Port:      -
FlippAuthor Commented:
Looks great - thanks shreedhar. I will process this and come back to you in a few days.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now