Re: Masses of 529 Errors!

Thanks again, Svyatoslav.

I posted here because it looked like a security issue to me. I will have a
look at snort.

Cheers,
Bill

"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:%230E7hfElHHA.4960@xxxxxxxxxxxxxxxxxxxxxxx
I would analyse traffic coming through the Internet to see if there is a
correlation b/ween connection attempts and the failed logon attempt. I
would also consider implementing a network intrusion detection system (like
Snort -www.snort.org - it's free and runs on Windows) for such monitoring.

Also please post the question to SBS newsgroups.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Bill Glidden" <billyg1943@xxxxxxxxxxx> wrote in message
news:e8c5btDlHHA.4592@xxxxxxxxxxxxxxxxxxxxxxx
Thanks, Svyatoslav.

I am running SBS 2K3 with ISA 2004 behind a firewall/router:

Internet -- router -- SBS/ISA -- local LAN

What can I do about this, please?

Cheers,
Bill
"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:O9KKrcDlHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
Splash in a botnets activity?

The access is denied, which is a good thing. Filling up the logs is
something to worry about.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Bill Glidden" <billyg1943@xxxxxxxxxxx> wrote in message
news:%23%23a1PiClHHA.4628@xxxxxxxxxxxxxxxxxxxxxxx
I have often seen these errors in the security log at the rate of up to
hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of
them. Is this something I should be worrying about? Obviously the fact
that I know about it means that who/whatever is doing this is
unsuccessful. Below is pasted one of the events:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/05/2007
Time: 10:20:37 PM
User: NT AUTHORITY\SYSTEM
Computer: <my sbs server>
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: anonymous
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <my sbs server>
User Name: <my sbs server>
Caller Domain: <my domain>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1216
Transited Services: -
Source Network Address: -
Source Port: -

Advice most welcome, please.

Bill











.

Relevant Pages

  • Re: Masses of 529 Errors!
    ... I posted here because it looked like a security issue to me. ... correlation b/ween connection attempts and the failed logon attempt. ... Workstation Name: <my sbs server> ... Caller Logon ID: ...
    (microsoft.public.security)
  • Re: Masses of 529 Errors!
    ... I posted here because it looked like a security issue to me. ... correlation b/ween connection attempts and the failed logon attempt. ... Workstation Name: <my sbs server> ... Caller Logon ID: ...
    (microsoft.public.security)
  • Attempted Logon via Broadband
    ... I am running an NT 4.0 SBS server and am experiencing various security ... I have used the MS security analyser tool to lock down the server but still ... Logon Failure: ... Logon Type: 3 ...
    (microsoft.public.security)
  • Re: Logon Error - Event ID 533
    ... The suggestion regarding security logs should not apply if the overwrite option has been selected and you have the default maximum of 512 kb. ... How to Set Log Size and Overwrite Options ... The user cannot logon and no Profile folder is made, ... screen whether with a domain account or a local account from the ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Help with Security Logs
    ... Security" means that the event was generated by the security ... Primary User is the user context that actually performed the access; ... Client User is the user on behalf of whom the file was accessed. ... The Logon ID fields for Primary User and Client User identify a unique logon ...
    (microsoft.public.security)