Masses of 529 Errors!

Masses of 529 Errors!
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Masses of 529 Errors! Bill Glidden 05-11-2007
Posted by Bill Glidden on May 11, 2007, 8:00 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I have often seen these errors in the security log at the rate of up to
hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of
them. Is this something I should be worrying about? Obviously the fact that
I know about it means that who/whatever is doing this is unsuccessful. Below
is pasted one of the events:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/05/2007
Time: 10:20:37 PM
User: NT AUTHORITY\SYSTEM
Computer: <my sbs server>
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: anonymous
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <my sbs server>
User Name: <my sbs server>
Caller Domain: <my domain>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1216
Transited Services: -
Source Network Address: -
Source Port: -

Advice most welcome, please.

Bill




Posted by S. Pidgorny on May 11, 2007, 9:44 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Splash in a botnets activity?

The access is denied, which is a good thing. Filling up the logs is
something to worry about.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

>I have often seen these errors in the security log at the rate of up to
>hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of
>them. Is this something I should be worrying about? Obviously the fact that
>I know about it means that who/whatever is doing this is unsuccessful.
>Below is pasted one of the events:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 11/05/2007
> Time: 10:20:37 PM
> User: NT AUTHORITY\SYSTEM
> Computer: <my sbs server>
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: anonymous
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: <my sbs server>
> User Name: <my sbs server>
> Caller Domain: <my domain>
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1216
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> Advice most welcome, please.
>
> Bill
>
>
>



Posted by Bill Glidden on May 11, 2007, 10:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks, Svyatoslav.

I am running SBS 2K3 with ISA 2004 behind a firewall/router:

Internet -- router -- SBS/ISA -- local LAN

What can I do about this, please?

Cheers,
Bill
> Splash in a botnets activity?
>
> The access is denied, which is a good thing. Filling up the logs is
> something to worry about.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>>I have often seen these errors in the security log at the rate of up to
>>hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of
>>them. Is this something I should be worrying about? Obviously the fact
>>that I know about it means that who/whatever is doing this is
>>unsuccessful. Below is pasted one of the events:
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 529
>> Date: 11/05/2007
>> Time: 10:20:37 PM
>> User: NT AUTHORITY\SYSTEM
>> Computer: <my sbs server>
>> Description:
>> Logon Failure:
>> Reason: Unknown user name or bad password
>> User Name: anonymous
>> Domain:
>> Logon Type: 3
>> Logon Process: Advapi
>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Workstation Name: <my sbs server>
>> User Name: <my sbs server>
>> Caller Domain: <my domain>
>> Caller Logon ID: (0x0,0x3E7)
>> Caller Process ID: 1216
>> Transited Services: -
>> Source Network Address: -
>> Source Port: -
>>
>> Advice most welcome, please.
>>
>> Bill
>>
>>
>>
>
>



Posted by S. Pidgorny on May 11, 2007, 11:44 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I would analyse traffic coming through the Internet to see if there is a
correlation b/ween connection attempts and the failed logon attempt. I would
also consider implementing a network intrusion detection system (like
Snort -www.snort.org - it's free and runs on Windows) for such monitoring.

Also please post the question to SBS newsgroups.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> Thanks, Svyatoslav.
>
> I am running SBS 2K3 with ISA 2004 behind a firewall/router:
>
> Internet -- router -- SBS/ISA -- local LAN
>
> What can I do about this, please?
>
> Cheers,
> Bill
>> Splash in a botnets activity?
>>
>> The access is denied, which is a good thing. Filling up the logs is
>> something to worry about.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>>I have often seen these errors in the security log at the rate of up to
>>>hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of
>>>them. Is this something I should be worrying about? Obviously the fact
>>>that I know about it means that who/whatever is doing this is
>>>unsuccessful. Below is pasted one of the events:
>>>
>>> Event Type: Failure Audit
>>> Event Source: Security
>>> Event Category: Logon/Logoff
>>> Event ID: 529
>>> Date: 11/05/2007
>>> Time: 10:20:37 PM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: <my sbs server>
>>> Description:
>>> Logon Failure:
>>> Reason: Unknown user name or bad password
>>> User Name: anonymous
>>> Domain:
>>> Logon Type: 3
>>> Logon Process: Advapi
>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>> Workstation Name: <my sbs server>
>>> User Name: <my sbs server>
>>> Caller Domain: <my domain>
>>> Caller Logon ID: (0x0,0x3E7)
>>> Caller Process ID: 1216
>>> Transited Services: -
>>> Source Network Address: -
>>> Source Port: -
>>>
>>> Advice most welcome, please.
>>>
>>> Bill
>>>
>>>
>>>
>>
>>
>
>



Posted by Bill Glidden on May 12, 2007, 12:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks again, Svyatoslav.

I posted here because it looked like a security issue to me. I will have a
look at snort.

Cheers,
Bill

>I would analyse traffic coming through the Internet to see if there is a
>correlation b/ween connection attempts and the failed logon attempt. I
>would also consider implementing a network intrusion detection system (like
>Snort -www.snort.org - it's free and runs on Windows) for such monitoring.
>
> Also please post the question to SBS newsgroups.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>> Thanks, Svyatoslav.
>>
>> I am running SBS 2K3 with ISA 2004 behind a firewall/router:
>>
>> Internet -- router -- SBS/ISA -- local LAN
>>
>> What can I do about this, please?
>>
>> Cheers,
>> Bill
>>> Splash in a botnets activity?
>>>
>>> The access is denied, which is a good thing. Filling up the logs is
>>> something to worry about.
>>>
>>> --
>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>> -= F1 is the key =-
>>>
>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>
>>>>I have often seen these errors in the security log at the rate of up to
>>>>hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of
>>>>them. Is this something I should be worrying about? Obviously the fact
>>>>that I know about it means that who/whatever is doing this is
>>>>unsuccessful. Below is pasted one of the events:
>>>>
>>>> Event Type: Failure Audit
>>>> Event Source: Security
>>>> Event Category: Logon/Logoff
>>>> Event ID: 529
>>>> Date: 11/05/2007
>>>> Time: 10:20:37 PM
>>>> User: NT AUTHORITY\SYSTEM
>>>> Computer: <my sbs server>
>>>> Description:
>>>> Logon Failure:
>>>> Reason: Unknown user name or bad password
>>>> User Name: anonymous
>>>> Domain:
>>>> Logon Type: 3
>>>> Logon Process: Advapi
>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>>> Workstation Name: <my sbs server>
>>>> User Name: <my sbs server>
>>>> Caller Domain: <my domain>
>>>> Caller Logon ID: (0x0,0x3E7)
>>>> Caller Process ID: 1216
>>>> Transited Services: -
>>>> Source Network Address: -
>>>> Source Port: -
>>>>
>>>> Advice most welcome, please.
>>>>
>>>> Bill
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>



Similar ThreadsPosted
EFS Errors August 16, 2005, 6:15 pm
Errors July 25, 2006, 11:35 am
560 Errors May 1, 2007, 7:28 am
winmm.dll errors May 3, 2006, 1:29 pm
Question about 529 errors May 31, 2007, 11:46 am
share premission errors February 13, 2008, 1:49 pm
security certificate errors October 6, 2008, 2:45 pm
security certificate errors October 6, 2008, 2:59 pm
Event ID Errors 537 on Member Server May 29, 2007, 3:55 pm
strange security errors with protocol transition September 26, 2007, 10:32 am

The site map in XML format XML site map

Contact Us | Privacy Policy