Event id's 529 and 681

From: Rob Brown (rob_at_vunetusa.com)
Date: 07/22/03

• Next message: blaqb0x: "user login auditing on win2k pro"
• Previous message: steve: "pop ups"
• Next in thread: Steven L Umbach: "Re: Event id's 529 and 681"
• Reply: Steven L Umbach: "Re: Event id's 529 and 681"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 22 Jul 2003 11:39:23 -0700

I have a few workstations that occasionally generate a pair of event id's
529 and 681 across every server on my domain. (SEE BELOW)
The configuration is:
Servers members of SERVERS domain.
Desktops members of WORKGROUP. Not members of SERVERS domain.
Desktops are on different subnet than servers. Users do not have local
accounts on servers.

I HAVE virus scanned the machines and not found any virus.
What else would cause the workstations to try to authenticate to every
server?
Would a user browsing the SERVERS domain with network neighborhood cause
this?
I know that these are probably "normal" failure events, but am wondering if
there is a way to "weed out" the known workstations from malicious attempts
from outside, since in this case, they generate the same error signatures.

===========================
These 2 events are generated at the same time across all machines on the
domain:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/21/2003
Time: 3:02:33 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1
Description:
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: Someuser
  Domain: WORKSTATION1
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: WORKSTATION1

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 7/21/2003
Time: 3:02:33 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1
Description:
The logon to account: Someuser
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: WORKSTATION1
 failed. The error code was: 3221225572

---

• Next message: blaqb0x: "user login auditing on win2k pro"
• Previous message: steve: "pop ups"
• Next in thread: Steven L Umbach: "Re: Event id's 529 and 681"
• Reply: Steven L Umbach: "Re: Event id's 529 and 681"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Event ID 537 ... One of my workstations on my SBS2003 network has just recently started ... generating Event ID 537 errors to the servers security log. ... An error occurred during logon ... Caller User Name: - ... (microsoft.public.windows.server.sbs) RE: Optimize SMB on server to accomodate slow WAN link ... The lack of bursting is really a function of the carrier, ... especially if you have servers in the ... Advertising of shares/printers by workstations and servers ... the central office that they do not need to be connecting to. ... (microsoft.public.win2000.networking) Failed logons in security log ... I see these events periodically between two Win2K servers. ... Type: Failure Audit ... Logon Failure: ... SMB: C logoff & X ... (microsoft.public.win2000.security) Re: Very Slow(60mins) XP logon ... The DNS on the servers is set to internal only, workstations get their dns through dhcp which also sets them up for internal dns. ... The slow logon happens with any AD account. ... (microsoft.public.win2000.networking) Re: HP, Intel becoming laughing stock of computer industry ... > workstations and dozens of HP-UX servers. ... As well as a Linux port there is also a Windows ... (comp.os.vms)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2003-07