Re: Event ID 529
- From: "Larry Struckmeyer [SBS-MVP]" <lstruckmeyer@xxxxxxxxxxxxxxx>
- Date: Thu, 8 Jan 2009 06:55:52 -0500
One more thing.... you should be able to block any attempt from any ip, or a complete range of ip's in your firewall. Various contributors to this space, Leythos in particular, often post a list of ip's that he blocks on the theory that none of his customers need to be dealing with the countries where these ip's are located. If you can't find such a list, post back and someone may give you a pointer.
--
Larry
Please post the resolution to your
issue so that others may benefit.
"Larry Struckmeyer [SBS-MVP]" <lstruckmeyer@xxxxxxxxxxxxxxx> wrote in message news:u69yaJYcJHA.1532@xxxxxxxxxxxxxxxxxxxxxxx
Hi Andy:
This has nothing to do with "Microsoft Solution". Any system exposed to the internet will be probed in this fashion. There are lots of bad guys and kids on the internet who probe constantly for unprotected systems to penetrate for fun, profit, or both.
The only thing you might find by changing to some other kind of system is that the system you change to will not record the probes. Which is better? To know that you have been probed or not to know?
There are several lines of defense, the first being the knowledge that such attacks are taking place. The next is a very strong pass phrase policy. Note that I said pass phrase, not password. Pass Phrase makes them much harder to guess, while being easy to remember. Such things as:
1234 Fifth StreeT!
Chicago Bears 22 DeTroiT Li0ns 7!
My D0g has 10K Flea$
At the very least you should run the password rules wizard and enforce strong passwords.
The next line of defense is a third party product. There are two levels, and you can use either one or both. First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. Only then are they able to connect to the network, where they will be asked for their network user credentials.
Instead of, or in addition to the above, look at a product similar to that from Scorpion Software called Auth Anvil.
http://www.scorpionsoft.com/
This product requires that you type in a key given by a hardware device that you carry with you before you can enter. This enforces the rule: "something you know and something you have" to deny access to anyone who does not have both the password and the token.
You cannot escape the bad guys by not using MS products. The only way is to either completely disconnect from the internet, or to mitigate the risk by one or more of the above lines of defense.
--
Larry
Please post the resolution to your
issue so that others may benefit.
"Andy M" <support@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:6A8266A6-AEB5-4649-AFD0-A895321A5DBE@xxxxxxxxxxxxxxxxHello
Can anyone help?
We have a client which runs SBS2k3 and almost on every day blocks of either
50 to 100 or so, of the above events (see full details below), within a very
short space of time (minutes together) are recorded in the event logs.
Sometimes the Logon Type is different (eg 3), also the User Name can be
different such as "Webmaster" and the Caller Process ID can be different too.
I have had no luck searching for definite soultion and my client has a major
concern that they are being "hacked" and confidence in a Microsoft soultion
is waning very fast. I have read on various other sites that these messages
can be ignored. However, that's not very comforting to my client when we
can't track down the cause of the issue or to fully explain it, other than a
hack attempt. The client also moved site recently so the broadband packege
is all new, I was hoping this would resolve the problem, but it hasn't.
Does anyone know why or how to stop the events from occurring?
Many thanks
Here is full event detail:-
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 06/01/2009
Time: 10:35:58
User: NT AUTHORITY\SYSTEM
Computer: <SERVER NAME>
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: <SERVER DOMAIN>
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <SERVER NAME>
Caller User Name: <SERVER NAME>$
Caller Domain: <SERVER DOMAIN>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2672
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
BTW the MS Help and Support Center, unfortunately isn't very helpful or
supportive with this issue.
Andy
MBS
.
- Follow-Ups:
- Re: Event ID 529
- From: Andy M
- Re: Event ID 529
- References:
- Event ID 529
- From: Andy M
- Event ID 529
- Prev by Date: Re: Windows 7
- Next by Date: RE: Error applying an WSUS update
- Previous by thread: Event ID 529
- Next by thread: Re: Event ID 529
- Index(es):
Relevant Pages
|
