Link to home
Start Free TrialLog in
Avatar of Flipp
FlippFlag for Australia

asked on

IIS Security - Event ID 531

I have one SBS 2003 that is being hit heavily with below:

Reason: Unknown user name or password
User Name: <random>
Domain:
Logon Type: 3
Logon Process: advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <SERVER>
Caller User Name: <SERVER$>
Caller Domain: <DOMAIN>
Caller Logon ID: (0x0,0x37)
Caller Process ID: 1664

The process that is referenced is inetinfo.exe.

I have searched forums and the only answer I see is that this is all a part of having an internet address. I have my network behind a router/firewall device with various ports forwarded through for SMTP-25, RDP-13389, RWW-443. I do not see the same issue on any other server I have on other networks, so I want to investigate further and perhaps attempt to block these attempts.

We do have a strong password policy internally, but seeing 5000+ attempts within a 24h period seems a bit much.
Avatar of Shreedhar Ette
Shreedhar Ette
Flag of India image

Avatar of Flipp

ASKER

Correction: Event ID 529.

I have seen this previously answered question, but does not look to present a way to lockdown further or troubleshoot beyond.
Please post the event id 529 description.
Avatar of Flipp

ASKER

Reason:      Unknown user name or bad password
User Name:      111111
Domain:       
Logon Type:      3
Logon Process:      Advapi
Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:      SERVER01
Caller User Name:      SERVER01$
Caller Domain:      DOMAINNAME
Caller Logon ID:      (0x0,0x3E7)
Caller Process ID:      1664
Transited Services:      -
Source Network Address:      -
Source Port:      -
ASKER CERTIFIED SOLUTION
Avatar of Shreedhar Ette
Shreedhar Ette
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Flipp

ASKER

Looks great - thanks shreedhar. I will process this and come back to you in a few days.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.