Solved

Event ID: 529 is occuring every second in the Security Event log

Posted on 2013-02-07
3
626 Views
Last Modified: 2013-02-11
I am showing just one example of the event in the event log. Event ID occurs almost every second. Is there a way to stop this from happening? This is an SBS 2003 server.....
Event.txt
0
Comment
Question by:csk2512
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 250 total points
ID: 38866930
What are you using for a firewall?   Is port 3389 open?

Don't know what part of the world your in but basically someone is attempting to logon to you network from the IP you show in the log using an account named admin.   These are common attacks when 3389 is open.  People will just keep banging away trying to gain access.

Close port 3389 and I bet these go away.

BTW here's where that IP is located
http://www.findip-address.com/207.112.46.100
0
 
LVL 63

Expert Comment

by:btan
ID: 38867684
Common causes for invalid logon events:
- Forgotten passwords, someone is entering the wrong password.
- An unauthorized individual is trying to gain access to the network.
- There is a persistent network connection with an invalid password.
- There is a service using a user account with an invalid password.
- Trust relationship has been broken.

Logon type = 10 = RDP
This implies you have the RDP port open (3388).

Your options (As far as I can see) are:

Disable port forwarding on the firewall for this port and use the built in Remote Web Workplace. Restrict (on firewall) the allowed source ip to your one (so only you can connect in). Restrict (using IPSEC on the server) the allowed source ip to your one (so only you can connect in.. Passwords, must be strong and changed regularly.  Or have the true administrator acount disabled in SBS - reduced exposure of such high admin priviledge account ...(do have other username instead of the usual "admin" etc)
0
 
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 250 total points
ID: 38867968
Plain and simple; someone in Canada is trying to hack into your system.
Nice program to fetch Whois info: http://www.nirsoft.net/utils/ipnetinfo.html

And you have two choices:
1) Compile a list of the allowed ip addresses for remote destop connections and setup ipsec rules to only allow those to access the server: http://www.analogx.com/contents/articles/ipsec.htm (don't forget to allow the local network!)
2) I found a neat utility at Tweaking.com that monitors all RDP ip addresses and gives you another utility which automatically sets an ipsec rule to block those ip's: http://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html
If you do a little research, you can also go to the ipsec policy and change an ip you already blocked to the entire range which will let you slowly block all of Russia, China, etcetera.

It would also be a good idea to make the administrator password really nasty!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question