Re: Security Event ID 529 & 681 / source= outside domains

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 04/23/04

• Next message: Steven L Umbach: "Re: permissions problem"
• Previous message: Your name: "Can you log the use of a workstation?"
• In reply to: Tim S.: "Security Event ID 529 & 681 / source= outside domains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 23 Apr 2004 13:43:35 -0500

Very hard to say why when you can not examine those remote machines
yourself. Just because they are locked away is no reason for the other
domain admins to assume those computers are not compromised. Locked up
computers are compromised through a network connection all the time, though
it does not mean they are compromised. Possibly there could be a
misconfigured/old mapped drive or some sort of a script/application running
including wrong computers as targerts for action. Since you have no power in
that domain there is not much you can do unless there is a higher authority
to appeal to. At the very least the other domain admins should check Event
Viewer on those two servers for any pertinent errors, review configuration,
and check that virus definitions are current and there are regular virus
scans.

Based on the name of the user being used in your failed logons, it does not
appear to be a concerted hack attempt which would usually use the
administrator account or other legitimate user name. Usually in hacks, the
passwords are bad and not the user name unless they are trying to guess a
renamed administrator account or the hacker is confident they have a good
password.

If the user name in the failed attempts does not change and the events show
consistently on the same computers, I doubt you have to much to worry about
except being annoyed. You may want to ask that domain admin if the user name
being used is familiar to him and may help jog his memory. --- Steve

"Tim S." <anonymous@discussions.microsoft.com> wrote in message
news:2e8201c42896$2cbc2630$a501280a@phx.gbl...
> I have a Windows 2000 network running in mixed mode
> (mostly WIN2K servers) and all WIN2K desktops. We are a
> state agency that is part of the larger states forest. I
> imported and implemented the securedc.inf group security
> policy on the network two days ago. Now I notice that
> some of my WIN2K my servers are generating Security Event
> IDs 529 and 681 in the Event logs. I found out that these
> events are recording unsuccessful authentications /
> logins. They were probably happening all along but the new
> group policy is recording them. The problem is that all of
> these events (529 and 681) are being generated by two
> servers outside of my domain. I spoke with the admins for
> the other domains and they have no idea what is going on.
> They say these servers are secured in server rooms with
> restricted access so I am guessing that someone is not
> trying to hack into my network. The domains involved have
> no relationship with our agency and although I can see the
> domains in Network Neighborhood I do not have access to
> them and vise versa. My question is what is happening and
> why only these tow servers. There are over a 1000 servers
> in the forest so there must be something configured
> incorrectly on these two otherwise why wouldn't the other
> servers be generating the events as well. The logs are
> listed below.
>
> /21/2004 11:36:37 AM Security
> Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM
> TEST_REGION123 "Logon Failure:
> Reason: Unknown user name or bad password
> User Name: SVC_Profile
> Domain: EPS
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: EPS-INF-PAR-001 "
>
> 4/21/2004 11:36:37 AM Security
> Failure Audit Account Logon 681 NT AUTHORITY\SYSTEM
> TEST_REGION123 The logon to account: SVC_Profile
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: EPS-INF-PAR-001
> failed. The error code was: 3221225572
>
>
>

---

• Next message: Steven L Umbach: "Re: permissions problem"
• Previous message: Your name: "Can you log the use of a workstation?"
• In reply to: Tim S.: "Security Event ID 529 & 681 / source= outside domains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Making the case for not installing DCs on remote sites (2xT1 links) ... 25,000 users;-) and I don't know how may servers -4,000 perhaps. ... I think that the logon ... >>>>to logon from branch offices where I have no DC+GC there. ... >>>>offices with more than 60 computers. ... (microsoft.public.win2000.active_directory) Re: Dcidag errors ... Port blockage between servers ... Other sorts of networking issues (lack of connectivity between the points ... These errors are typically a result of a network connectivity issue of some ... > replicating this nc. ... (microsoft.public.windows.server.active_directory) Re: C and Network ... identify the servers and computers in a local network, ... have the list of directories and files on C (for Windows) or in the ... typical network you'll need to know about "sockets". ... (comp.lang.c) Re: C and Network ... identify the servers and computers in a local network, ... typical network you'll need to know about "sockets". ... (comp.lang.c) Re: I need Job Blobb ... > Windows and Network administratation. ... > In a job I would like to administrate servers, ... > Title: ISP Network Administrator ... > o Building, installation, configuration and tuning ... (microsoft.public.cert.exam.mcse)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)