Re: SBS SP2 w/ISA Error 529
- From: "Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx>
- Date: Mon, 3 Dec 2007 20:24:37 -0600
When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10.
Source port isn't the same as the port your server is listening on. Check your ISA logs, I think you'll find this particular logon attempt over port 3389. You could close port 3389, or block this particular IP, or only allow traffic on 3389 from certain IP's.
The Administrator account is by default exempt from lockout.
--
Les Connor [SBS MVP]
"Brian" <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:5D2537C3-B173-4F4C-BAE6-CD1AE985BEBA@xxxxxxxxxxxxxxxx
Thanks Les,
While that's all true, it does not address Either of my questions.
Can anybody tell me how they are able to GET to the ports they are trying?
Why isnt ISA blocking them?
Also, Why is my server unable to lock out the Administator account??
Thanks!
"Les Connor [SBS MVP]" wrote:
Unauthorized logon attempts are a fact of life in todays' environment,
unfortunately. They're for the most part 'drive by' attempts, on blocks of
IP addresses.
You can either disconnect your server from the internet, or allow *nothing*
in, or ensure you at least have impossibly hard to crack passwords. You can
go further if you like with two factor authentication for some things.
When you see failed logins, don't get excited. It's the ones that *succeed*
that you need be concerned about. If you see a string of attempts, check
your security log and see that there hasn't been a subsequent success.
--
Les Connor [SBS MVP]
"Brian" <Brian@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:97FFCB0E-2E5C-42F4-AB4D-CAB5E147AF62@xxxxxxxxxxxxxxxx
> Ok.. I see the other posts about Event Log Error 529… it seems to > indicate
> that there is a hack attempt; if it is from an External IP and happens > in
> bursts.
>
> Here are my questions:
>
> 1) How is it possible that the attacker is allowed to attempt to logon
> using
> ports that I believe ISA should be blocking?!? Each error lists a
> diffrent
> port. (YES I ran CEICW)
>
> 2) What about Error 12294 in the SYSTEM LOG?
>
>
> Example of Errors:
>
> 1)529 12/2/2007 12:18 AM
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: MOBILE-MR
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: MOBILE01
> Caller User Name: MOBILE01$
> Caller Domain: MOBILE-MR
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 728
> Transited Services: -
> Source Network Address: 75.68.142.123
> Source Port: 1976 <---------How can this be getting through ISA?
>
> 2)SAM 12294 12/2/2007 12:18 AM
> The SAM database was unable to lockout the account of Administrator due > to
> a
> resource error, such as a hard disk write failure (the specific error > code
> is
> in the error data) . Accounts are locked after a certain number of bad
> passwords are provided so please consider resetting the password of the
> account mentioned above.
>
> Any insight would be appriciated!
> Thanks!
>
> Brian
>
>
>
>
.
- References:
- Re: SBS SP2 w/ISA Error 529
- From: Les Connor [SBS MVP]
- Re: SBS SP2 w/ISA Error 529
- From: Brian
- Re: SBS SP2 w/ISA Error 529
- Prev by Date: Re: Rerouting emails
- Next by Date: Re: catalog synchronized failed?
- Previous by thread: Re: SBS SP2 w/ISA Error 529
- Next by thread: OT - The future is coming!
- Index(es):
Relevant Pages
|
