Microsof SBS 2003 Security Events

We use GFI Server monitoring, and we are experiencing 5 security events that repeatedly alert us from the Security Event Log. The total amount of alerts can reach into their thousands within the week. The alert descriptions indicate that the security event is triggered from internal users, computers and IP addresses.

There are 2 sites linked via a VPN. The primary site uses, whilst the remote site uses

The alerts in question relate to the following Event ID's:

For further clarity, please see attached document providing event logs as extracted from the SBS Server, with accompanying notes at the bottom of each event.

I would like to identify the cause and resolution of each event.

Thank you in advance.
Who is Participating?
swan_solutionsConnect With a Mentor Author Commented:
No resolution found on this issue
Alan HardistyCo-OwnerCommented:
What ports do you have open and forwarded to the server because a lot of them may be external hackers trying to break into your server using port 3389 for example.

Another problem with SBS is hackers trying port 25 to work out a username / password combo that works and my article can help sort that problem out for you:


swan_solutionsAuthor Commented:
The following ports are open:

Destination - SBS Server
(access from specific destinations only - not open to general public)

Destination - Analysis Computer using IP
12340 to 12360
(now closed as there is no further requirement for these ports to be open)

On the point of SMTP we have redirected port 77 (public) to port 25 (private). SMTP is routed via an external party and has been restricted to specific IP ranges
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Alan HardistyCo-OwnerCommented:
No problems - if you don't use port 25 directly, then that will not be a problem.

Do you use IMAP?  Any reason to have that working as you shouldn't need it normally.

It seems to be that HPC009 is generating / appearing in a lot of the errors you are seeing.  Is there anything on that PC that shouldn't be there?

Have you run an AV / Malware scan on it?

Is the user having problems authenticating?

Others may be OWA problems as they are coming from the server itself (

What is your server internal IP address?

swan_solutionsAuthor Commented:
I have disabled the IMAP port as this is not longer in use.

I will investigate HPC009 and any user/AV/Malware related issus and report back on this.

When you say OWA problems, does anything specific spring to mind?

The server IP is

Alan HardistyCo-OwnerCommented:
When I refer to OWA - it may be people failing to login to OWA which could be a genuine user or a hacker / script kiddie trying to break in that way.

swan_solutionsAuthor Commented:
Other suggestions did not resolve this issue
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.