Re: IUSER Event 529
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx (Crina Li (MSFT))
- Date: Fri, 26 Aug 2005 14:30:33 GMT
Hi Jeff,
Thanks for your reply.
Would you please help me confirm if the event 529 and 531 have disappeared?
Regarding the event 539, can you post the detailed error information?
To narrow down the problem, please help me collect the event log as
following:
1. Open Event Viewer.
2. Right click the Application, Security and System and then select Save
Log File As.
3. Send these files to my mailbox: v-crinal@xxxxxxxxxxxxx
Thanks for your time and I look forward to your reply.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Date: Thu, 25 Aug 2005 10:41:34 -0500
| From: Jeffrey Jones <jeffjones176@xxxxxxxxx>
| | Subject: Re: IUSER Event 529
| Newsgroups: microsoft.public.windows.server.sbs
| |
| Crina Li (MSFT) wrote:
| > Hi Jeff,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > From the description, I understand you received many event 529 errors
and
| > event 531 errors regarding IUSER account on SBS server. If I have
| > misunderstood your concerns, please do not hesitate to let me know.
| >
| > We may try the following to see if the problem can be solved:
| >
| > 1. Go to Active Directory Users and Computers and expand server name
and
| > then click users.
| > 2. Double click IUSR and then on Account tab make sure the password
never
| > expires and user cannot change password is selected and the account is
not
| > disabled.
| > 3. Open IIS ADMIN and go to the Default web site and get properties
| > 4. Go to directory security\Edit.
| > 5. In the Password Field type in a strong password and write it down
and
| > hit apply\ok
| >
| > If you get inheritance override click Select all.......only do this if
the
| > IUSR account is the account chosen for these web sites... (this is the
| > default setting).
| >
| > 6. Then go to Active Directory Users and Computers and reset the
password
| > for the IUSR account (or delete the account)
| > 7. Then run iisreset from the command prompt. It will restart IIS.
| >
| > If the problem still persists, this may also be an automated dictionary
| > attack on weak passwords. The hacker is trying variable
username/password
| > combinations to access the network. The attack can be initiated from
| > internal network or external network.
| >
| > Technically speaking, this is a normal behavior as you cannot prevent a
| > hacker or spyware from attacking your server. The attack can be from
| > outsiders or from LAN workstation which are infected by viruses or
spyware.
| > I would like to give the following action plan to improve the network
| > security:
| >
| > 1. Scan virus on the workstations. Please use the anti-virus software
to
| > perform full scan on the internal workstations. There is an online
virus
| > scan link below:
| > http://housecall.trendmicro.com
| >
| > 2. Implement Strong password policies. Open 'Server Management
console',
| > navigate to Users snap-in. In the right panel, click 'Configure
Password
| > Policies'. Enable the password policies.
| >
| > For more information:
| >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
| > security/bpactlck.mspx
| >
| > 3. Monitor the internal users to see if anyone is testing the admin
| > accounts.
| >
| > More info:
| >
| > Securing Your Windows Small Business Server 2003 Network
| >
http://download.microsoft.com/download/1/f/1/1f15a874-f696-4992-b5ad-b1e7b25
| > 8de1c/SecuringSBSnetwork.doc
| >
| > 4. Scan and remove all spyware and adware on the server and
workstations.
| > For more information and removal tools, see:
| >
| > http://www.microsoft.com/athome/security/spyware/default.mspx
| >
| > Thanks for your time and I look forward to your reply.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Date: Tue, 23 Aug 2005 17:31:58 -0500
| > | From: Jeffrey Jones <jeffjones176@xxxxxxxxx>
| > | | Newsgroups: microsoft.public.windows.server.sbs
| > | |
| > | Hello,
| > | I have been receiving a lot of event 529 errors in my morning reports
| > | from my server saying that the IUSER account (Unknown account or bad
| > | password) is the offender. I have SBS 2K3 upgraded to SP1. Does
anybody
| > | know why this might be? Am I under attack? The number of these
| > | occurances is topping 280 daily. I also am getting some event 531
errors
| > | (38-43 daily) saying that the account being accessed is disabled. We
do
| > | have a password policy enabled. Thought I might ask. Thanks.
| > | Regards,
| > | Jeff Jones
| > |
| >
| I have followed all of your instructions. I can in today and I have a
| bunch of 539 events for the IUSER account. Any reason why this may be?
| Thanks,
| Jeff
|
.
- References:
- IUSER Event 529
- From: Jeffrey Jones
- RE: IUSER Event 529
- From: Crina Li (MSFT)
- Re: IUSER Event 529
- From: Jeffrey Jones
- IUSER Event 529
- Prev by Date: RE: Shared Fax Error (SBS 2000)
- Next by Date: RE: Autoresponders
- Previous by thread: Re: IUSER Event 529
- Next by thread: increasingly frequent shutdowns
- Index(es):
Relevant Pages
|
Loading
