We help IT Professionals succeed at work.

IIS Security - Event ID 531

Medium Priority
947 Views
Last Modified: 2012-06-22
I have one SBS 2003 that is being hit heavily with below:

Reason: Unknown user name or password
User Name: <random>
Domain:
Logon Type: 3
Logon Process: advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <SERVER>
Caller User Name: <SERVER$>
Caller Domain: <DOMAIN>
Caller Logon ID: (0x0,0x37)
Caller Process ID: 1664

The process that is referenced is inetinfo.exe.

I have searched forums and the only answer I see is that this is all a part of having an internet address. I have my network behind a router/firewall device with various ports forwarded through for SMTP-25, RDP-13389, RWW-443. I do not see the same issue on any other server I have on other networks, so I want to investigate further and perhaps attempt to block these attempts.

We do have a strong password policy internally, but seeing 5000+ attempts within a 24h period seems a bit much.
Comment
Watch Question

Shreedhar EtteTechnical Manager
CERTIFIED EXPERT
Top Expert 2010

Commented:

Author

Commented:
Correction: Event ID 529.

I have seen this previously answered question, but does not look to present a way to lockdown further or troubleshoot beyond.
Shreedhar EtteTechnical Manager
CERTIFIED EXPERT
Top Expert 2010

Commented:
Please post the event id 529 description.

Author

Commented:
Reason:      Unknown user name or bad password
User Name:      111111
Domain:       
Logon Type:      3
Logon Process:      Advapi
Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:      SERVER01
Caller User Name:      SERVER01$
Caller Domain:      DOMAINNAME
Caller Logon ID:      (0x0,0x3E7)
Caller Process ID:      1664
Transited Services:      -
Source Network Address:      -
Source Port:      -
Technical Manager
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Looks great - thanks shreedhar. I will process this and come back to you in a few days.
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.