RE: ATTN : Microsoft - Security Event 529....Second Request for help....

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Art,

Thank you for posting here!

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!

From your description, I understand the issue to be: you received security
event 529 and 552 in the Security log.

Security Event ID 529 is a failure audit for logon/logoff. The security
events are controlled by the audit policies. The policies of "logon events"
generate the events on domain controllers for domain account activity. The
log type 3 is a Network event means "A user or computer logged on to this
computer from the network".

This kind of issue may be caused by Application logon such as while Outlook
is connecting to Exchange Server, or this is an automated dictionary attack
on weak passwords. The hacker is trying variable username/password (here it
is webmaster) combinations to access the network. The attack can be
initiated from internal network or external network.

Technically speaking, this is a normal behavior as you cannot prevent a
hacker from attacking your server. You can ignore the events as the attack
was unsuccessful. However, since it indicated the hacker attacking, I would
like to give the following action plan to improve the network security:

1. Scan virus on the workstations. Please use the anti-virus software to
perform full scan on the internal workstations. There is an online virus
scan link below:

http://housecall.trendmicro.com/

2. Implement Strong password policies. Open ''Server Management console'',
navigate to Users snap-in. In the right panel, click ''Configure Password
Policies''. Enable the password policies.

For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

3. Have you got a bricks level backup or an anti virus scan running about
those times? If it's a possible check the backup to see if the bricks part
failed and what account and password it's using.

4. Disable the Guest account.

5. The following document also helps you to more securely configure your
SBS 2003 network. Completing the tasks in this document helps you protect
the availability, integrity, and confidentiality of your network.

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en

More information:

Kerberos Event ID: 529 is logged when you use a local user account to
verify security access or group membership on a Windows Server 2003-based
Kerberos client
http://support.microsoft.com/default.aspx?scid=kb;en-us;150530

Hope above information helps! I appreciate your time and efforts to the
issue and I am looking forward to your reply!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: Art Vandalay <noone@xxxxxxxxxxx>
Subject: ATTN : Microsoft - Security Event 529....Second Request for
help....
Date: Thu, 06 Apr 2006 21:54:42 -0400
Message-ID: <3chb325af7dc66bhus0vfmnap1nb259onf@xxxxxxx>
X-Newsreader: Forte Agent 3.1/32.783
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: c-68-82-122-237.hsd1.pa.comcast.net 68.82.122.237
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:258695
X-Tomcat-NG: microsoft.public.windows.server.sbs


Freshly genned SBS 2003 Server producing the following events in the
security log:

4/2/2006 8:18:56 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:56 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -

Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 324
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:55 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:55 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -

Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 4296
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:08 PM Security Failure Audit
Logon/Logoff 529 NT AUTHORITY\SYSTEM SERVER1 "Logon
Failure:
Reason: Unknown user name or bad password
User Name: SERVER1$
Domain: SYSIII
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
"
4/2/2006 8:18:08 PM Security Success Audit
Logon/Logoff 552 NT AUTHORITY\SYSTEM SERVER1 "Logon attempt
using explicit credentials:
Logged on user:
User Name:
Domain:
Logon ID: (0x0,0xA7E4)
Logon GUID: -
User whose credentials were used:
Target User Name: SERVER1$
Target Domain:
Target Logon GUID: -

Target Server Name: server1.sysiii.local
Target Server Info: server1.sysiii.local
Caller Process ID: 4496
Source Network Address: -
Source Port: -
"

According to Task Manager : PID 4496 is wmiprvse.exe, PID 4296 is
store.exe, and PID 324 is inetinfo.exe. Something is out of sync
somewhere, but where??

Please help..........


.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #50
    ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
    (Focus-Microsoft)
  • RE: file sharing on network with vista and xp home computer
    ... Since the contact through microsoft email has been 24 hours+ for each reply, ... security settings for the root folder until I asked them to. ... network was working for that one week, that I had changed "Everyone's" access ... and I had to reinstall my copy of windows. ...
    (microsoft.public.windowsxp.network_web)
  • SecurityFocus Microsoft Newsletter #51
    ... Subject: SecurityFocus Microsoft Newsletter #51 ... If you're running a Windows network, then this is the intensive 3-day ... Specialist in Microsoft's Security Services Partner Program, ... Platforms: Solaris and Windows NT ...
    (Focus-Microsoft)
  • Re: To clarify the link for CWShredder Update
    ... I see that they are all MS public newsgroups but so have been all ... 98 community that there are still security patches needed for the platform. ... Please review the Microsoft Support ... Customers can "request security fixes for Windows 98, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: To clarify the link for CWShredder Update
    ... I see that they are all MS public newsgroups but so have been all ... 98 community that there are still security patches needed for the platform. ... Please review the Microsoft Support ... Customers can "request security fixes for Windows 98, ...
    (microsoft.public.windowsupdate)