RE: EventId: 529 - hacking attempt
- From: v-mileli@xxxxxxxxxxxxxxxxxxxx (Miles Li [MSFT])
- Date: Fri, 19 Sep 2008 10:50:06 GMT
Hello Nick,
Thank you for posting here.
According to your description, I understand that:
You receive the Event ID 529 on the SBS server that indicate the
authentication failure.
If I have misunderstood the problem, please don't hesitate to let me know.
Explanations:
=======
The "advapi" API is a logon process. The failure audit indicates that there
is a process or application making a call to LogonUser that has sent wrong
credentials. In this issue, the caller Process is INetInfo from IIS. This
typically result from the SMTP client on the SBS server that tries to
provide bad password/username for a account. You may have a test to stop
the SMTP client to check whether the issue will happens again. If the SMTP
client is root cause, you can enable the SMTP log that will indicates the
caller IP address. To do that:
You can use protocol logging to track incoming commands that an SMTP
virtual server receives from SMTP clients and to track outgoing commands.
There are 4 types of protocol logs:
o Microsoft Internet Information Server (IIS) Log File Format
o NCSA Common Log File Format
o ODBC Log File Format
o W3C Extended Log File Format
The default SMTP protocol log format is the W3C Extended Log File Format.
You can use this log to select the information that you want to track. To
turn on W3C logging, follow these steps:
1. Start Exchange System Manager.
2. Expand Servers\Your_ Server_Name\Protocols\SMTP.
3. Right-click SMTP Virtual Server, and then click Properties.
4. On the General tab, click to select the Enable Logging check box.
5. In the Active Log Format list, click W3C Extended Log File Format.
6. Click Properties.
7. On the General Properties tab, click the log schedule that you
want to use under New log schedule.
8. In the Log file directory box, type the path where you want to
keep the log files.
9. Click the Advanced tab, and then click to select the check box
next to each extended logging option in the Extended logging options list
that you want to track.
10. Click Apply, and then click OK to close Logging Properties.
11. Click Apply, and then click OK to save your settings and close SMTP
Virtual Server Properties.
821910 How to troubleshoot for Exchange Server 2003 transport
issues
http://support.microsoft.com/kb/821910/en-us
More information about User Authentication Auditing, you may refer to:
305822 Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/kb/305822
174073 Auditing User Authentication
http://support.microsoft.com/kb/174073
Microsoft Windows 2000 Server and Windows Server 2003: Password and Account
Lockout Features
http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2F
en%2Fwc022703%2Fwct022703.asp
Hope this helps. Also, if you have any questions or concerns, please do not
hesitate to let me know.
Best regards,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- EventId: 529 - hacking attempt
- From: Nick
- EventId: 529 - hacking attempt
- Prev by Date: GPo Question on sbs2003
- Next by Date: Re: Trouble with SBS VPN for one user
- Previous by thread: EventId: 529 - hacking attempt
- Next by thread: Workgroup Inkjet - Ricoh?
- Index(es):
Relevant Pages
|
Loading
