Re: Security Event Log problem

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/21/05

Next message: Steven L Umbach: "Re: Windows 2003 Firewall intermittently blocks VPN"
Previous message: Herb Martin: "Re: Password policy"
In reply to: Felix: "Security Event Log problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 21 Oct 2005 13:07:23 -0500

At that time someone tried to logon to the computer using the administrator
account but failed. If it is an isolated event I would not worry too much.
If it happens a lot then someone may be trying to hack your computer. ---
Steve

"Felix" <Felix@discussions.microsoft.com> wrote in message
news:AD1BB62A-9571-42E4-8309-749AF3D88B96@microsoft.com...
> HI there,
>
> The following security event logs are generated in our Windows 2003
> server.
> The event id 529 is shown even I have not logon the server. Does anyone
> know
> why these logs are generated. Many thanks.
>
> 2005/10/18 10:14:24 AM SECURITY Audit Success System Event 513
> RTGSMIS-NT1 Windows is shutting down.
> All logon sessions will be terminated by this shutdown.
>
> 2005/10/18 10:17:14 AM Security Audit Failure Logon/Logoff 529 NT
> AUTHORITY\SYSTEM
> RTGSMIS-NT1 Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain:
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: RTGSMIS-NT1
> Caller User Name: RTGSMIS-NT1$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1872
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> 2005/10/18 10:17:15 AM Security Audit Failure Logon/Logoff 529 NT
> AUTHORITY\SYSTEM
> RTGSMIS-NT1 Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: RTGSMIS-NT1
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: RTGSMIS-NT1
> Caller User Name: RTGSMIS-NT1$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1964
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> 2005/10/18 10:17:15 AM Security Audit Failure Logon/Logoff 529 NT
> AUTHORITY\SYSTEM
> RTGSMIS-NT1 Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: RTGSMIS-NT1
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: RTGSMIS-NT1
> Caller User Name: RTGSMIS-NT1$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1964
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> 2005/10/18 10:17:15 AM Security Audit Failure Logon/Logoff 529 NT
> AUTHORITY\SYSTEM
> RTGSMIS-NT1 Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: RTGSMIS-NT1
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: RTGSMIS-NT1
> Caller User Name: RTGSMIS-NT1$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 236
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> 2005/10/18 10:17:15 AM Security Audit Failure Logon/Logoff 529 NT
> AUTHORITY\SYSTEM
> RTGSMIS-NT1 Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: RTGSMIS-NT1
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: RTGSMIS-NT1
> Caller User Name: RTGSMIS-NT1$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 268
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> 2005/10/18 10:17:21 AM Security Audit Failure Logon/Logoff 529 NT
> AUTHORITY\SYSTEM
> RTGSMIS-NT1 Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: RTGSMIS-NT1
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: RTGSMIS-NT1
> Caller User Name: RTGSMIS-NT1$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 2044
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> 2005/10/18 10:17:23 AM Security Audit Failure Logon/Logoff 529 NT
> AUTHORITY\SYSTEM
> RTGSMIS-NT1 Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: RTGSMIS-NT1
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: RTGSMIS-NT1
> Caller User Name: RTGSMIS-NT1$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 268
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> Regards,
> Felix

Next message: Steven L Umbach: "Re: Windows 2003 Firewall intermittently blocks VPN"
Previous message: Herb Martin: "Re: Password policy"
In reply to: Felix: "Security Event Log problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Failure Audit in Security Logs
... Event Type: Failure Audit ... Logon Failure: ... Logon Process: NtLmSsp ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: Failure Audit in Security Logs
... Event Type: Failure Audit ... Logon Failure: ... Logon Process: NtLmSsp ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: Authentication failures
... Reason: Unknown user name or bad password ... Logon Failure: ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: KDC Event ID 7 and Wins startup errors.
... Event Type: Information ... Event Source: USER32 ... Logon Failure: ... Caller User Name: $ ...
(microsoft.public.windows.server.sbs)
Re: KDC Event ID 7 and Wins startup errors.
... Scheduled reboot was done to ensure that no services/tasks are failing ... Event Type: Information ... Logon Failure: ... Caller User Name: $ ...
(microsoft.public.windows.server.sbs)