RE: Mysterious Logon Failures in Security Log

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Bryan,

Thank you for posting in SBS newsgroup.

As I understand from your post message, you receive security event log 529
in your newly installed Win2k3 system. If I have misunderstood your
concerns, please do not hesitate to let me know.

Since if we enabled security audit in the security policy, we can see many
security events in the event log. Sometimes, we can ignore some security
events because they will not impact the server box besides the logs. For
the security events you posted in the newsgroup, please see the following
comments:

1. This error messages may occur when some service (log on as local system
account) are started. In Win2003 server, it is most likely that the
''Microsoft Exchange Routing Engine'' service cause this security event.
You may open ''Services'' console in ''Administrative Tools'', double-click
''Microsoft Exchange Routing Engine'' service and click ''Stop'' button.
The 529 events should be stopped. Please note that the Exchange routing
engine service is a core service for Microsoft Exchange. If this service
stops, the mail delivery could be impacted. Stop this service only for test.

The 529 error may be also related to the NTLM Authentication level. By
default, the 2003 Server is set to "Send NTLM response only", you get the
event log because the authentication level does not match or it meets error
during the authentication procedure.

I suggest you change the "nolmhash" value to "0" in the following registry
key on the Win2003 server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Reboot the server for this change to take effect and check if the event
disappears.

If the event still appears, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Parameters


and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
Reboot the server and check if everything is OK.

2. This may also be an automated dictionary attack on weak passwords. The
hacker is trying variable username/password combinations to access the
network. The attack can be initiated from internal network or external
network. According to the message, Logon type 3 means Network logon. As the
event is missing much information such as "Caller User Name" and "Caller
Process ID", it is most likely caused by spyware resides on your LAN
workstations.

Technically speaking, this is a normal behavior as you cannot prevent a
hacker or spyware from attacking your server. The attack can be from
outsiders or from LAN workstation which are infected by viruses or spyware.
You can ignore the events as the attack was unsuccessful. However, since it
indicated an attacking, I would like to give the following action plan to
improve the network security:

1) Scan virus on both the server and workstations (especially the
workstation the IP address refers to). Please use the anti-virus software
to perform full scan on all your computers especially the computer event
529 indicates. There is an online virus scan link below if you do not have
an anti-virus software:

http://housecall.trendmicro.com

2) Scan and remove all spyware and adware on the server and workstations.
For more information and removal tools, see:

http://www.microsoft.com/athome/security/spyware/default.mspx

3) Implement Strong password policies. You'd better also ask your users to
change their passwords to avoid successfully attack against weak password.

For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

4. Monitor the internal users to see if anyone is testing the administrator
account.

NOTE: This response contains a reference to a Third party World Wide Web
site. You should know that Third party sites are not under the control of
Microsoft. Accordingly, Microsoft can make no representation concerning
the content of these sites. Microsoft is providing this information only
as a convenience to you. This is to inform you that Microsoft has not
tested any software or information found on these sites and therefore
cannot make any representations regarding the quality, safety, or
suitability of any software or information found there. There are inherent
dangers in the use of any software found on the Internet, and Microsoft
cautions you to make sure that you completely understand the risk before
retrieving any software on the Internet.

You can also save the Security log files and post it to newsgroup:

1. Open "Event Viewer" in "Administrative Tools"
2. Right-click "Security" and click "Save log file as" to save the log file
as a .evt file.
3. Post it to newsgroup.

You may need to enable Kerberos event logging referring to the following KB
article:

262177 How to enable Kerberos event logging
http://support.microsoft.com/?id=262177

Please post the logs regarding the problem to newsgroup.

The following KB article is for your reference:

326985 HOW TO: Troubleshoot Kerberos-Related Issues in IIS
http://support.microsoft.com/?id=326985

Hope the information help and I look forward to your reply.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Bryan L" <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Mysterious Logon Failures in Security Log
| Date: Mon, 25 Jul 2005 11:52:35 -0500
| | Newsgroups:
microsoft.public.windows.server.networking,microsoft.public.windows.server.s
bs,microsoft.public.windows.server.security
| |
| I'm running a SBS 2003 domain with about 30 users. I promoted another
2003
| server std box to be a replica DC about a month ago. I've had the luxury
of
| time to work out the bugs and kinks getting this new DC to be error-free
and
| I'm almost done. The only persistent error I'm still getting is event
529
| in my
| security log; a sample is provided below:
| __________________________
|
| Event Type: Failure Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 529
| Date: 7/22/2005
| Time: 4:28:07 PM
| User: NT AUTHORITY\SYSTEM
| Computer: SERVERNAME-2
| Description:
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name:
| Domain:
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name: -
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 192.168.168.229
| Source Port: 0
| __________________________
|
| Services my network runs:
| Exchange 2003
| DFS/FRS
| WINS
| DNS
| DHCP
|
| More information:
|
| - All clients are running XP SP2.
| - These errors always appear in multiples of 4.
| - Sometimes only 4 or 8 of these appear at a time for a given source IP;
| other times there are 20 or so, and now and then there are literally
| thousands of them within the span of a few minutes, or even hundreds
within
| a handful of seconds.
| - The most common source IP is a particular member server, but the source
| IP varies to include clients as well, both desktops and laptops.
| - I believe it's a configuration problem and not malicious, since even my
| own workstation is sometimes the source IP.
| - When coming from desktops the source port appears to always be 0, but
| when coming from the particular server that is most commonly the source
IP,
| the port increments by 3 every two events. For example, recently a total
| of 16 events were logged with this server as the source, all within the
same
| second, and the ports looked like this: 3850, 3850, 3853, 3853, 3856,
3856,
| 3859, 3859, 3862, 3862, 3865, 3865, 3868, 3868, 3871, 3871.
| - These errors are being logged only on the new DC's security log; the
logs
| on my original SBS 2003 DC are clean.
| - This server used to run 2000 Server with a static IP; it was wiped and
| cleanly installed with Server 2003 SP1 and set to the same static IP as
| before.
| - This server has a different name than the 2000 Server installation
did.
| - A few days after the install, a gigabit NIC was installed in the
server
| and the onboard 10/100 NIC was disabled.
| - DFS/FRS was in use for a short time on the 2000 Server, as a means to
| migrate the shares it was hosting to a different location prior to the
wipe
| and reinstall. The 2000 Server was never a DC.
| - I believe I made a mistake in managing my DFS: I disabled DFS referrals
| to the old 2000 Server, but never actually removed all references to the
| server from DFS altogether before taking the old server permanently
offline.
| I'm about to look for information that will help me clean this up; I've
seen
| it out there in my readings on DFS. The "new" Server 2003 installation is
| not yet hosting its original shares again, but it has been set up as a DFS
| root replica.
|
| Any help appreciated; I'm not sure how to run this one down.
|
| Thanks in advance,
|
| Bryan
|
|
|

.

Quantcast