Re: SBS SP2 w/ISA Error 529

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Unauthorized logon attempts are a fact of life in todays' environment, unfortunately. They're for the most part 'drive by' attempts, on blocks of IP addresses.

You can either disconnect your server from the internet, or allow *nothing* in, or ensure you at least have impossibly hard to crack passwords. You can go further if you like with two factor authentication for some things.

When you see failed logins, don't get excited. It's the ones that *succeed* that you need be concerned about. If you see a string of attempts, check your security log and see that there hasn't been a subsequent success.

--
Les Connor [SBS MVP]


"Brian" <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:97FFCB0E-2E5C-42F4-AB4D-CAB5E147AF62@xxxxxxxxxxxxxxxx
Ok.. I see the other posts about Event Log Error 529… it seems to indicate
that there is a hack attempt; if it is from an External IP and happens in
bursts.

Here are my questions:

1) How is it possible that the attacker is allowed to attempt to logon using
ports that I believe ISA should be blocking?!? Each error lists a diffrent
port. (YES I ran CEICW)

2) What about Error 12294 in the SYSTEM LOG?


Example of Errors:

1)529 12/2/2007 12:18 AM
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: MOBILE-MR
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: MOBILE01
Caller User Name: MOBILE01$
Caller Domain: MOBILE-MR
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 728
Transited Services: -
Source Network Address: 75.68.142.123
Source Port: 1976 <---------How can this be getting through ISA?

2)SAM 12294 12/2/2007 12:18 AM
The SAM database was unable to lockout the account of Administrator due to a
resource error, such as a hard disk write failure (the specific error code is
in the error data) . Accounts are locked after a certain number of bad
passwords are provided so please consider resetting the password of the
account mentioned above.

Any insight would be appriciated!
Thanks!

Brian





.

Relevant Pages

  • Re: Kerberos Problem with App Pool running as Domain Account
    ... SPNs registered for the DNS alias and the server name, ... account, perhaps IIS itself has to as well (instead of the IUSR_IISSERVER ... An error occurred during logon ... Caller User Name: IISSERVER$ ...
    (microsoft.public.inetserver.iis.security)
  • Re: Service principal name (SPN) / Active Directory Problem
    ... HOST/servername.domain.com SPNs ... I think it must be some custom user; the Identity is set to an account ... Event Category: Account Logon ... Caller User Name: - ...
    (microsoft.public.inetserver.iis.security)
  • RE: Threat vector of running a service using a domain account
    ... Cachedumps are for local logon password dumps. ... Lsadumps retrieve the passwords in plaintext (each char. ... Cachedump, which again, doesn't work so well against the latest versions ... Threat vector of running a service using a domain account ...
    (Security-Basics)
  • IIS, Trend, Exhaustion, Permissions, Heelp!!!
    ... passwords using IIS and adsutil as in List 2. ... Logon Failure: ... Caller User Name: NETWORK SERVICE ... To reset the password for the IUSR_ComputerName account, ...
    (microsoft.public.windows.server.sbs)
  • Failed Logon Attempts
    ... It appears as though they hit the "admin" account & ... Logon account: admin ... Source Workstation: SERVER ... Caller User Name: SERVER$ ...
    (microsoft.public.windows.server.sbs)