?
Solved

Event ID: 529 is occuring every second in the Security Event log

Posted on 2013-02-07
3
Medium Priority
?
629 Views
Last Modified: 2013-02-11
I am showing just one example of the event in the event log. Event ID occurs almost every second. Is there a way to stop this from happening? This is an SBS 2003 server.....
Event.txt
0
Comment
Question by:csk2512
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 1000 total points
ID: 38866930
What are you using for a firewall?   Is port 3389 open?

Don't know what part of the world your in but basically someone is attempting to logon to you network from the IP you show in the log using an account named admin.   These are common attacks when 3389 is open.  People will just keep banging away trying to gain access.

Close port 3389 and I bet these go away.

BTW here's where that IP is located
http://www.findip-address.com/207.112.46.100
0
 
LVL 64

Expert Comment

by:btan
ID: 38867684
Common causes for invalid logon events:
- Forgotten passwords, someone is entering the wrong password.
- An unauthorized individual is trying to gain access to the network.
- There is a persistent network connection with an invalid password.
- There is a service using a user account with an invalid password.
- Trust relationship has been broken.

Logon type = 10 = RDP
This implies you have the RDP port open (3388).

Your options (As far as I can see) are:

Disable port forwarding on the firewall for this port and use the built in Remote Web Workplace. Restrict (on firewall) the allowed source ip to your one (so only you can connect in). Restrict (using IPSEC on the server) the allowed source ip to your one (so only you can connect in.. Passwords, must be strong and changed regularly.  Or have the true administrator acount disabled in SBS - reduced exposure of such high admin priviledge account ...(do have other username instead of the usual "admin" etc)
0
 
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 1000 total points
ID: 38867968
Plain and simple; someone in Canada is trying to hack into your system.
Nice program to fetch Whois info: http://www.nirsoft.net/utils/ipnetinfo.html

And you have two choices:
1) Compile a list of the allowed ip addresses for remote destop connections and setup ipsec rules to only allow those to access the server: http://www.analogx.com/contents/articles/ipsec.htm (don't forget to allow the local network!)
2) I found a neat utility at Tweaking.com that monitors all RDP ip addresses and gives you another utility which automatically sets an ipsec rule to block those ip's: http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html
If you do a little research, you can also go to the ipsec policy and change an ip you already blocked to the entire range which will let you slowly block all of Russia, China, etcetera.

It would also be a good idea to make the administrator password really nasty!
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question