Security Event 528

Posted on 2011-05-03
Last Modified: 2012-05-11

Looking for some information on a Security Event that occurs every night (1am-ish) on our 2003 Standard Server.

event error
Any information that you could provide on what it might be would be greatly appreciated!
I am aware that a logon type 2 generally means that someone is logging on in front of the server but the logon process is usually user32 not advapi as it is here,

Many Thanks,

Question by:catsystems
    LVL 4

    Expert Comment

    LVL 7

    Expert Comment

    It seems to be a login of type 8:
    Logon Type 8 – NetworkCleartext

    This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.
    (Logon Type Codes Revealed,
    LVL 14

    Expert Comment

    Do you have a program/process running under the administrator account and is attempting to
    logon using the advapi.dll LogonUser call.
    LVL 10

    Accepted Solution

    A user or an application successfully logged on to a computer. A corresponding event id 538 will be recorded for the logoff. ADVAPI is the DLL for advanced Windows api's and is used in a lot of OS related code. Do you know if MS Exchange is running on this system or connecting to it in any way?

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now