Re: event id 529 logon type 3 - lots of them

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/27/05 

Date: Tue, 26 Apr 2005 21:47:32 -0500

What server applications were running on this server - IIS, Exchange,?? From
what you describe it probably was from an external source and if your
firewall logs network traffic you may want to see if you see a lot of
activity from a particular IP address at the times that these failed logon
events were recorded. If you have auditing of account logon events enabled
in Domain Controller Security policy you would want to check the security
logs of the domain controllers to see if there are any failure for account
logon events at the same times that may give more information including
computer name. I have seen other posts with similar behavior and when
Logon Process: Advapi was show it was often an Exchange server. Be sure
to check your firewall for proper configuration and you can go to a self
scan site such as http://scan.sygatetech.com/ to see if your firewall
security configuration looks to be what is expected.--- Steve

"Gary Massengale" <garym_jnospam@hotmail.com> wrote in message
news:%23IZ47XoSFHA.3544@TK2MSFTNGP10.phx.gbl...
>I saw a ton of these, all early this morning, during a short period of
>time, before most users are even in the office.
>
>
>
> is there any way I can find out where this is coming from? what
> workstation or if it is over the internet?
>
>
>
>
>
>
>
>
>
> Event Type: Failure Audit
>
> Event Source: Security
>
> Event Category: Logon/Logoff
>
> Event ID: 529
>
> Date: 4/26/2005
>
> Time: 6:44:06 AM
>
> User: NT AUTHORITY\SYSTEM
>
> Computer: myserver
>
> Description:
>
> Logon Failure:
>
> Reason: Unknown user name or bad password
>
> User Name: connect
>
> Domain:
>
> Logon Type: 3
>
> Logon Process: Advapi
>
> Authentication Package:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> Workstation Name: myserver
>
>

Relevant Pages

  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)