Security Event 528

Posted on 2011-05-03
Medium Priority
Last Modified: 2012-05-11

Looking for some information on a Security Event that occurs every night (1am-ish) on our 2003 Standard Server.

event error
Any information that you could provide on what it might be would be greatly appreciated!
I am aware that a logon type 2 generally means that someone is logging on in front of the server but the logon process is usually user32 not advapi as it is here,

Many Thanks,

Question by:catsystems

Expert Comment

ID: 35511469
It seems to be a login of type 8:
Logon Type 8 – NetworkCleartext

This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.
(Logon Type Codes Revealed, http://www.windowsecurity.com/articles/logon-types.html)
LVL 14

Expert Comment

ID: 35511497
Do you have a program/process running under the administrator account and is attempting to
logon using the advapi.dll LogonUser call.
LVL 10

Accepted Solution

pand0ra_usa earned 2000 total points
ID: 35517331
A user or an application successfully logged on to a computer. A corresponding event id 538 will be recorded for the logoff. ADVAPI is the DLL for advanced Windows api's and is used in a lot of OS related code. Do you know if MS Exchange is running on this system or connecting to it in any way?

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question