Solved

Event ID: 529 is occuring every second in the Security Event log

Posted on 2013-02-07
3
621 Views
Last Modified: 2013-02-11
I am showing just one example of the event in the event log. Event ID occurs almost every second. Is there a way to stop this from happening? This is an SBS 2003 server.....
Event.txt
0
Comment
Question by:csk2512
3 Comments
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 250 total points
ID: 38866930
What are you using for a firewall?   Is port 3389 open?

Don't know what part of the world your in but basically someone is attempting to logon to you network from the IP you show in the log using an account named admin.   These are common attacks when 3389 is open.  People will just keep banging away trying to gain access.

Close port 3389 and I bet these go away.

BTW here's where that IP is located
http://www.findip-address.com/207.112.46.100
0
 
LVL 62

Expert Comment

by:btan
ID: 38867684
Common causes for invalid logon events:
- Forgotten passwords, someone is entering the wrong password.
- An unauthorized individual is trying to gain access to the network.
- There is a persistent network connection with an invalid password.
- There is a service using a user account with an invalid password.
- Trust relationship has been broken.

Logon type = 10 = RDP
This implies you have the RDP port open (3388).

Your options (As far as I can see) are:

Disable port forwarding on the firewall for this port and use the built in Remote Web Workplace. Restrict (on firewall) the allowed source ip to your one (so only you can connect in). Restrict (using IPSEC on the server) the allowed source ip to your one (so only you can connect in.. Passwords, must be strong and changed regularly.  Or have the true administrator acount disabled in SBS - reduced exposure of such high admin priviledge account ...(do have other username instead of the usual "admin" etc)
0
 
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 250 total points
ID: 38867968
Plain and simple; someone in Canada is trying to hack into your system.
Nice program to fetch Whois info: http://www.nirsoft.net/utils/ipnetinfo.html

And you have two choices:
1) Compile a list of the allowed ip addresses for remote destop connections and setup ipsec rules to only allow those to access the server: http://www.analogx.com/contents/articles/ipsec.htm (don't forget to allow the local network!)
2) I found a neat utility at Tweaking.com that monitors all RDP ip addresses and gives you another utility which automatically sets an ipsec rule to block those ip's: http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html
If you do a little research, you can also go to the ipsec policy and change an ip you already blocked to the entire range which will let you slowly block all of Russia, China, etcetera.

It would also be a good idea to make the administrator password really nasty!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS Server and Office 365 5 46
optimal method deal ransomware in files folders 9 119
Configure SBS 2008 monitoring 4 52
aws pricing 2 45
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question