[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 631
  • Last Modified:

Event ID: 529 is occuring every second in the Security Event log

I am showing just one example of the event in the event log. Event ID occurs almost every second. Is there a way to stop this from happening? This is an SBS 2003 server.....
Event.txt
0
csk2512
Asked:
csk2512
2 Solutions
 
Cris HannaCommented:
What are you using for a firewall?   Is port 3389 open?

Don't know what part of the world your in but basically someone is attempting to logon to you network from the IP you show in the log using an account named admin.   These are common attacks when 3389 is open.  People will just keep banging away trying to gain access.

Close port 3389 and I bet these go away.

BTW here's where that IP is located
http://www.findip-address.com/207.112.46.100
0
 
btanExec ConsultantCommented:
Common causes for invalid logon events:
- Forgotten passwords, someone is entering the wrong password.
- An unauthorized individual is trying to gain access to the network.
- There is a persistent network connection with an invalid password.
- There is a service using a user account with an invalid password.
- Trust relationship has been broken.

Logon type = 10 = RDP
This implies you have the RDP port open (3388).

Your options (As far as I can see) are:

Disable port forwarding on the firewall for this port and use the built in Remote Web Workplace. Restrict (on firewall) the allowed source ip to your one (so only you can connect in). Restrict (using IPSEC on the server) the allowed source ip to your one (so only you can connect in.. Passwords, must be strong and changed regularly.  Or have the true administrator acount disabled in SBS - reduced exposure of such high admin priviledge account ...(do have other username instead of the usual "admin" etc)
0
 
Davis McCarnOwnerCommented:
Plain and simple; someone in Canada is trying to hack into your system.
Nice program to fetch Whois info: http://www.nirsoft.net/utils/ipnetinfo.html

And you have two choices:
1) Compile a list of the allowed ip addresses for remote destop connections and setup ipsec rules to only allow those to access the server: http://www.analogx.com/contents/articles/ipsec.htm (don't forget to allow the local network!)
2) I found a neat utility at Tweaking.com that monitors all RDP ip addresses and gives you another utility which automatically sets an ipsec rule to block those ip's: http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html
If you do a little research, you can also go to the ipsec policy and change an ip you already blocked to the entire range which will let you slowly block all of Russia, China, etcetera.

It would also be a good idea to make the administrator password really nasty!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now