Solved

Event ID: 529 is occuring every second in the Security Event log

Posted on 2013-02-07
3
614 Views
Last Modified: 2013-02-11
I am showing just one example of the event in the event log. Event ID occurs almost every second. Is there a way to stop this from happening? This is an SBS 2003 server.....
Event.txt
0
Comment
Question by:csk2512
3 Comments
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 250 total points
ID: 38866930
What are you using for a firewall?   Is port 3389 open?

Don't know what part of the world your in but basically someone is attempting to logon to you network from the IP you show in the log using an account named admin.   These are common attacks when 3389 is open.  People will just keep banging away trying to gain access.

Close port 3389 and I bet these go away.

BTW here's where that IP is located
http://www.findip-address.com/207.112.46.100
0
 
LVL 62

Expert Comment

by:btan
ID: 38867684
Common causes for invalid logon events:
- Forgotten passwords, someone is entering the wrong password.
- An unauthorized individual is trying to gain access to the network.
- There is a persistent network connection with an invalid password.
- There is a service using a user account with an invalid password.
- Trust relationship has been broken.

Logon type = 10 = RDP
This implies you have the RDP port open (3388).

Your options (As far as I can see) are:

Disable port forwarding on the firewall for this port and use the built in Remote Web Workplace. Restrict (on firewall) the allowed source ip to your one (so only you can connect in). Restrict (using IPSEC on the server) the allowed source ip to your one (so only you can connect in.. Passwords, must be strong and changed regularly.  Or have the true administrator acount disabled in SBS - reduced exposure of such high admin priviledge account ...(do have other username instead of the usual "admin" etc)
0
 
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 250 total points
ID: 38867968
Plain and simple; someone in Canada is trying to hack into your system.
Nice program to fetch Whois info: http://www.nirsoft.net/utils/ipnetinfo.html

And you have two choices:
1) Compile a list of the allowed ip addresses for remote destop connections and setup ipsec rules to only allow those to access the server: http://www.analogx.com/contents/articles/ipsec.htm (don't forget to allow the local network!)
2) I found a neat utility at Tweaking.com that monitors all RDP ip addresses and gives you another utility which automatically sets an ipsec rule to block those ip's: http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html
If you do a little research, you can also go to the ipsec policy and change an ip you already blocked to the entire range which will let you slowly block all of Russia, China, etcetera.

It would also be a good idea to make the administrator password really nasty!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now