RE: Critical Errors in Security Log, Logon Failures

Hello Boit,

Thanks for posting in our newsgroup.

From your description, I know that you get "Critical Errors in Security
Log" in Sever Performance Report everyday. If I am off-base, please don't
hesitate to let me know.

Based on my research, I'd like to give you the following suggestions:

Step1: Implement Strong password policies. To do this:

Open ''Server Management console'', navigate to Users snap-in. In the right
panel, click ''Configure Password Policies''. Enable the password policies.
1. Password must meet minimum length requirements.
2. Password must meet complexity requirements.
3. Password must be changed regularly.
4. Configure password policies: Immediately.

Step 2: Configure account lockout policy.

1) Click Start, click Settings, click Control Panel, double-click
Administrative Tools, and then double-click Active Directory Users and
Computers.
2) In the console tree, right-click the domain on which you want to set a
Group Policy object.
3) Click Properties, and then click the Group Policy tab.
4) In Group Policy Object Links, click Default Domain Policy or create and
name your Group Policy object, and then click Edit.
5) In the console tree, double-click Computer Configuration, double-click
Windows Settings, double-click Security Settings, double-click Account
Policies, and then click Account Lockout Policy.
6) In the details pane, right-click the policy setting that you want, and
then click Properties.
7) If you are defining this policy setting for the first time, click Define
this policy setting.
8) Click the options that you want, and then click OK.

For medium security requirement, the recommended configurations are:

Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10
For high security requirement, the recommendations are:
Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10
For more information, please refer to:
Account Passwords and Policies

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

Step3: Use an anti-virus with updated signatures and scan you SBS Server
and problematic workstation machine.

For more information, please refer to:
Windows Defender Home
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Step 4: Install the latest SBS client workstation updates.

More information:

Security Event 529 is logged for local user accounts
http://support.microsoft.com/default.aspx?scid=kb;en-us;811082

Also, there is a wonderful white paper on how to secure SBS 2003 network:

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-
8501-b4f680280f71&displaylang=en

Hope the information helps.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Thread-Topic: Critical Errors in Security Log, Logon Failures
<thread-index: AceeFHvx/8Y0w851Q9mEt0aO4LJhrg==
<X-WBNR-Posting-Host: 207.46.193.207
<From: =?Utf-8?B?Qm9pdA==?= <Boit@xxxxxxxxxxxxxxxxxxxxxxxxx>
<Subject: Critical Errors in Security Log, Logon Failures
<Date: Thu, 24 May 2007 08:02:01 -0700
<Lines: 25
<Message-ID: <D494D0E5-8554-484A-8646-1F4168F58100@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< charset="Utf-8"
<Content-Transfer-Encoding: 7bit
<X-Newsreader: Microsoft CDO for Windows 2000
<Content-Class: urn:content-classes:message
<Importance: normal
<Priority: normal
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
<Newsgroups: microsoft.public.windows.server.sbs
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:39162
<NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hello,
<
<Almost every day in my Server Performance Report I get a "Critical Errors
in
<Security Log" entry similar to the following example. The username,
domain,
<and workstation names are always different. Is this an attempt to hack my
<server? Any help would be greatly appreciated. Thanks.
<
<Source Event ID Last Occurrence Total Occurrences
< Security 529 5/17/2007 12:19 AM 12 *
<Logon Failure:
< Reason: Unknown user name or bad password
< User Name: MARS$
< Domain: MERCURY
< Logon Type: 3
< Logon Process: NtLmSsp
< Authentication Package: NTLM
< Workstation Name: MARS
< Caller User Name: -
< Caller Domain: -
< Caller Logon ID: -
< Caller Process ID: -
< Transited Services: -
< Source Network Address: -
< Source Port: -
<
<

.

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... titled "Client Logon Failure". ... This was done in the Group Policy ... So basically, the Account lockout threshold, account lockout duration ... When you do clean boot on the client computer, ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO causing client security logs to fill?
    ... titled "Client Logon Failure". ... This was done in the Group Policy ... So basically, the Account lockout threshold, account lockout duration ... When you do clean boot on the client computer, ...
    (microsoft.public.windows.server.sbs)
  • Re: Security Logon/Logoff Events
    ... I haven't yet set password policy or configured account lockout policy so I ... will do that in due course to fully secure the server. ...
    (microsoft.public.windows.server.sbs)
  • RE: Event ID 537
    ... the virus Banker.BSX will open port 1106. ... Step 2: Configure account lockout policy. ... and then click Account Lockout Policy. ... Click Services tab and select Hide All Microsoft Services and Disable ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO causing client security logs to fill?
    ... Enabled Small Business Server Remote Assistance Policy No ... Default Domain Controller policy should not be linked to the domain ... thread titled "Client Logon Failure". ... So basically, the Account lockout threshold, account lockout ...
    (microsoft.public.windows.server.sbs)
Loading