529 Logon Failures - 138 Events

My Server Security Log recorded (138) 529 logon failure events during a 15
minute interval. one failure about every 6-7 seconds.The user names were male
and female first names.

Is there a way to trace this to the source to find out who is doing this?
Also, is there a way to lock out the intruder? A sample of the event follows.
Thanking you in advance for your help.

Security 529 2/20/2005 7:27 PM 24 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: crack
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: domain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1828
Transited Services: -
Source Network Address: -
Source Port: -

People are using automated hacking tools looking for poorly secured
machines.
I'm not stressed by the Failures.

....worried the Hell out of me the other day when I -didn't- see any.
..... the though occurred to me that they may just have cracked it.
( Highly unlikely given the Usernames and passphrases I use ... but then
people do win the lottery don't they.)

--
Henry Craven {SBS-MVP}


"Mike G" <> wrote in message
news:767D318D-FF00-40BD-9E12-...
> My Server Security Log recorded (138) 529 logon failure events during a 15
> minute interval. one failure about every 6-7 seconds.The user names were
> male
> and female first names.
>
> Is there a way to trace this to the source to find out who is doing this?
> Also, is there a way to lock out the intruder? A sample of the event
> follows.
> Thanking you in advance for your help.
>
> Security 529 2/20/2005 7:27 PM 24 *
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: crack
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: SERVER
> Caller User Name: SERVER$
> Caller Domain: domain
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1828
> Transited Services: -
> Source Network Address: -
> Source Port: -
>

Hello Mike,

Thank you for your post.

According to your description, I understand that you get many 529 event
errors on your SBS server. If I have misunderstood the problem, please
don't hesitate to let me know.

Based on my research, the behavior can happen when the machine password is
not properly sync between SBS and internal clients, or the hacker activity
that guessed the password. I suggest we try the following steps to see if
we can resolve this issue:

1. Enable complicated password policy.

Note: The Password Policy need to be configured in Default Domain policy.

We can configure the settings under:

Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

2. Configure account lockout policy.

Generally, it is a best practices suggestion to set the Threshold value to
10 or higher. This is high enough to rule out user error and low enough to
deter hackers, especially when the password complexity policy is enabled.

For medium security requirement, the recommended configurations are:

Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10

For high security requirement, the recommendations are:

Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10

For more information, please refer to:

Account Passwords and Policies
http://www.microsoft.com/technet/pro.../technologies/
security/bpactlck.mspx

3. Check your firewall to ensure that only the necessary ports are opened.

4. Ensure the above settings have been successfully applied.

1) On the problematic SBS server, please run the following command to
refresh the group policy changes:

GPUPDAGE /FORCE

2) Run SECPOL.MSC and check the above changed password, Account lockout and
auditing policies to see their effective settings, and ensure that the
policies have been applied successfully.

If the policies have been applied successfully, we should have enhanced the
security protection of that server.

5. The issue may occur if the remote SBS server sends broadcast packets to
the network. I suggest you change the "nolmhash" value to "0" in the
following registry key on the SBS server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA

Reboot the server for this change to take effect and check if the event
does not appear.

6. If the event still appears, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\lanmanserver\Parameters
and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
Reboot the server and check if everything is OK.

7. There are several running processes on the computer that will attempt to
connect using the machine account.

This behavior can happen when the machine password is not properly sync.

In order to reset the machine account password of a domain controller use:

NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*

The syntax of this command is:
NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password
| *]

NETDOM RESETPWD Resets the machine account password for the domain
controller
on which this command is run. Currently there is no support for resetting
the machine password of a remote machine or a member server. All parameters
must be specified.

/Server Name of a specific domain controller that should have its
machine account password reset.

/UserD User account used to make the connection with the domain
controller specified by the /Server argument.

/PasswordD Password of the user account specified with /UserD. A *
means
to prompt for the password

After completing the command, reboot the server.

If we can not resolve the issue after we perform the above steps, please
kindly help me collect some information for further investigation:

Save the security event log as evt files on the problematic machine and
send to my mailbox: v-

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

================================================== ===
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
================================================== ===

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: 529 Logon Failures - 138 Events
| thread-index: AcepV7e4NxSNDyb1TbGqNCpBlGz1gA==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?TWlrZSBH?= <>
| Subject: 529 Logon Failures - 138 Events
| Date: Thu, 7 Jun 2007 16:01:01 -0700
| Lines: 25
| Message-ID: <767D318D-FF00-40BD-9E12->
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:42538
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| My Server Security Log recorded (138) 529 logon failure events during a
15
| minute interval. one failure about every 6-7 seconds.The user names were
male
| and female first names.
|
| Is there a way to trace this to the source to find out who is doing this?
| Also, is there a way to lock out the intruder? A sample of the event
follows.
| Thanking you in advance for your help.
|
| Security 529 2/20/2005 7:27 PM 24 *
| Logon Failure:
| Reason: Unknown user name or bad password
| User Name: crack
| Domain:
| Logon Type: 3
| Logon Process: Advapi
| Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| Workstation Name: SERVER
| Caller User Name: SERVER$
| Caller Domain: domain
| Caller Logon ID: (0x0,0x3E7)
| Caller Process ID: 1828
| Transited Services: -
| Source Network Address: -
| Source Port: -
|
|

I am using complex passwords....I have not configured the lockout feature.

Can I configure a lockout policy for the server itself? How does this work?
If I lock the server will I be able to unlock it to do maintenance?

I have printed the account and passwords policies and will review it. Thank
You!

"Terence Liu [MSFT]" wrote:

> Hello Mike,
>
> Thank you for your post.
>
> According to your description, I understand that you get many 529 event
> errors on your SBS server. If I have misunderstood the problem, please
> don't hesitate to let me know.
>
> Based on my research, the behavior can happen when the machine password is
> not properly sync between SBS and internal clients, or the hacker activity
> that guessed the password. I suggest we try the following steps to see if
> we can resolve this issue:
>
> 1. Enable complicated password policy.
>
> Note: The Password Policy need to be configured in Default Domain policy.
>
> We can configure the settings under:
>
> Computer Configuration\Windows Settings\Security Settings\Account
> Policies\Password Policy
>
> 2. Configure account lockout policy.
>
> Generally, it is a best practices suggestion to set the Threshold value to
> 10 or higher. This is high enough to rule out user error and low enough to
> deter hackers, especially when the password complexity policy is enabled.
>
> For medium security requirement, the recommended configurations are:
>
> Reset account lockout counter after: 30
> Account lockout duration: 30
> Account Lockout Threshold: 10
>
> For high security requirement, the recommendations are:
>
> Reset account lockout counter after: 30
> Account lockout duration: 0
> Account Lockout Threshold: 10
>
> For more information, please refer to:
>
> Account Passwords and Policies
> http://www.microsoft.com/technet/pro.../technologies/
> security/bpactlck.mspx
>
> 3. Check your firewall to ensure that only the necessary ports are opened.
>
> 4. Ensure the above settings have been successfully applied.
>
> 1) On the problematic SBS server, please run the following command to
> refresh the group policy changes:
>
> GPUPDAGE /FORCE
>
> 2) Run SECPOL.MSC and check the above changed password, Account lockout and
> auditing policies to see their effective settings, and ensure that the
> policies have been applied successfully.
>
> If the policies have been applied successfully, we should have enhanced the
> security protection of that server.
>
> 5. The issue may occur if the remote SBS server sends broadcast packets to
> the network. I suggest you change the "nolmhash" value to "0" in the
> following registry key on the SBS server:
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA
>
> Reboot the server for this change to take effect and check if the event
> does not appear.
>
> 6. If the event still appears, go to
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\lanmanserver\Parameters
> and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
> Reboot the server and check if everything is OK.
>
> 7. There are several running processes on the computer that will attempt to
> connect using the machine account.
>
> This behavior can happen when the machine password is not properly sync.
>
> In order to reset the machine account password of a domain controller use:
>
> NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
>
> The syntax of this command is:
> NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password
> | *]
>
> NETDOM RESETPWD Resets the machine account password for the domain
> controller
> on which this command is run. Currently there is no support for resetting
> the machine password of a remote machine or a member server. All parameters
> must be specified.
>
> /Server Name of a specific domain controller that should have its
> machine account password reset.
>
> /UserD User account used to make the connection with the domain
> controller specified by the /Server argument.
>
> /PasswordD Password of the user account specified with /UserD. A *
> means
> to prompt for the password
>
> After completing the command, reboot the server.
>
> If we can not resolve the issue after we perform the above steps, please
> kindly help me collect some information for further investigation:
>
> Save the security event log as evt files on the problematic machine and
> send to my mailbox: v-
>
> Hope these steps will give you some help.
>
> Thanks and have a nice day!
>
> Best regards,
>
> Terence Liu(MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities...s/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ================================================== ===
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> | Thread-Topic: 529 Logon Failures - 138 Events
> | thread-index: AcepV7e4NxSNDyb1TbGqNCpBlGz1gA==
> | X-WBNR-Posting-Host: 207.46.193.207
> | From: =?Utf-8?B?TWlrZSBH?= <>
> | Subject: 529 Logon Failures - 138 Events
> | Date: Thu, 7 Jun 2007 16:01:01 -0700
> | Lines: 25
> | Message-ID: <767D318D-FF00-40BD-9E12->
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
> | Newsgroups: microsoft.public.windows.server.sbs
> | Path: TK2MSFTNGHUB02.phx.gbl
> | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:42538
> | NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | My Server Security Log recorded (138) 529 logon failure events during a
> 15
> | minute interval. one failure about every 6-7 seconds.The user names were
> male
> | and female first names.
> |
> | Is there a way to trace this to the source to find out who is doing this?
> | Also, is there a way to lock out the intruder? A sample of the event
> follows.
> | Thanking you in advance for your help.
> |
> | Security 529 2/20/2005 7:27 PM 24 *
> | Logon Failure:
> | Reason: Unknown user name or bad password
> | User Name: crack
> | Domain:
> | Logon Type: 3
> | Logon Process: Advapi
> | Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> | Workstation Name: SERVER
> | Caller User Name: SERVER$
> | Caller Domain: domain
> | Caller Logon ID: (0x0,0x3E7)
> | Caller Process ID: 1828
> | Transited Services: -
> | Source Network Address: -
> | Source Port: -
> |
> |
>
>

My router only forwards ports for Exchange mail, RWW, OWA and Terminal
Server. I did not see any ports identified on in the event log failures. How
did they get through my router to my server? What port did they use??? Thanks
again!

"Terence Liu [MSFT]" wrote:

> Hello Mike,
>
> Thank you for your post.
>
> According to your description, I understand that you get many 529 event
> errors on your SBS server. If I have misunderstood the problem, please
> don't hesitate to let me know.
>
> Based on my research, the behavior can happen when the machine password is
> not properly sync between SBS and internal clients, or the hacker activity
> that guessed the password. I suggest we try the following steps to see if
> we can resolve this issue:
>
> 1. Enable complicated password policy.
>
> Note: The Password Policy need to be configured in Default Domain policy.
>
> We can configure the settings under:
>
> Computer Configuration\Windows Settings\Security Settings\Account
> Policies\Password Policy
>
> 2. Configure account lockout policy.
>
> Generally, it is a best practices suggestion to set the Threshold value to
> 10 or higher. This is high enough to rule out user error and low enough to
> deter hackers, especially when the password complexity policy is enabled.
>
> For medium security requirement, the recommended configurations are:
>
> Reset account lockout counter after: 30
> Account lockout duration: 30
> Account Lockout Threshold: 10
>
> For high security requirement, the recommendations are:
>
> Reset account lockout counter after: 30
> Account lockout duration: 0
> Account Lockout Threshold: 10
>
> For more information, please refer to:
>
> Account Passwords and Policies
> http://www.microsoft.com/technet/pro.../technologies/
> security/bpactlck.mspx
>
> 3. Check your firewall to ensure that only the necessary ports are opened.
>
> 4. Ensure the above settings have been successfully applied.
>
> 1) On the problematic SBS server, please run the following command to
> refresh the group policy changes:
>
> GPUPDAGE /FORCE
>
> 2) Run SECPOL.MSC and check the above changed password, Account lockout and
> auditing policies to see their effective settings, and ensure that the
> policies have been applied successfully.
>
> If the policies have been applied successfully, we should have enhanced the
> security protection of that server.
>
> 5. The issue may occur if the remote SBS server sends broadcast packets to
> the network. I suggest you change the "nolmhash" value to "0" in the
> following registry key on the SBS server:
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA
>
> Reboot the server for this change to take effect and check if the event
> does not appear.
>
> 6. If the event still appears, go to
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\lanmanserver\Parameters
> and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
> Reboot the server and check if everything is OK.
>
> 7. There are several running processes on the computer that will attempt to
> connect using the machine account.
>
> This behavior can happen when the machine password is not properly sync.
>
> In order to reset the machine account password of a domain controller use:
>
> NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
>
> The syntax of this command is:
> NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password
> | *]
>
> NETDOM RESETPWD Resets the machine account password for the domain
> controller
> on which this command is run. Currently there is no support for resetting
> the machine password of a remote machine or a member server. All parameters
> must be specified.
>
> /Server Name of a specific domain controller that should have its
> machine account password reset.
>
> /UserD User account used to make the connection with the domain
> controller specified by the /Server argument.
>
> /PasswordD Password of the user account specified with /UserD. A *
> means
> to prompt for the password
>
> After completing the command, reboot the server.
>
> If we can not resolve the issue after we perform the above steps, please
> kindly help me collect some information for further investigation:
>
> Save the security event log as evt files on the problematic machine and
> send to my mailbox: v-
>
> Hope these steps will give you some help.
>
> Thanks and have a nice day!
>
> Best regards,
>
> Terence Liu(MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities...s/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ================================================== ===
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> | Thread-Topic: 529 Logon Failures - 138 Events
> | thread-index: AcepV7e4NxSNDyb1TbGqNCpBlGz1gA==
> | X-WBNR-Posting-Host: 207.46.193.207
> | From: =?Utf-8?B?TWlrZSBH?= <>
> | Subject: 529 Logon Failures - 138 Events
> | Date: Thu, 7 Jun 2007 16:01:01 -0700
> | Lines: 25
> | Message-ID: <767D318D-FF00-40BD-9E12->
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
> | Newsgroups: microsoft.public.windows.server.sbs
> | Path: TK2MSFTNGHUB02.phx.gbl
> | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:42538
> | NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | My Server Security Log recorded (138) 529 logon failure events during a
> 15
> | minute interval. one failure about every 6-7 seconds.The user names were
> male
> | and female first names.
> |
> | Is there a way to trace this to the source to find out who is doing this?
> | Also, is there a way to lock out the intruder? A sample of the event
> follows.
> | Thanking you in advance for your help.
> |
> | Security 529 2/20/2005 7:27 PM 24 *
> | Logon Failure:
> | Reason: Unknown user name or bad password
> | User Name: crack
> | Domain:
> | Logon Type: 3
> | Logon Process: Advapi
> | Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> | Workstation Name: SERVER
> | Caller User Name: SERVER$
> | Caller Domain: domain
> | Caller Logon ID: (0x0,0x3E7)
> | Caller Process ID: 1828
> | Transited Services: -
> | Source Network Address: -
> | Source Port: -
> |
> |
>
>

In article <767D318D-FF00-40BD-9E12->,
says...

Sounds like the same hacker was snooping around one of my clients. This
morning's Server Performance Report showed exactly 138 Event 529.
Investigation indicates an automated probe trying various first names
(Dick, Jane, etc.) for account name.

As Henry says, as long as you have a good password policy you should be
fine. The hacker will most likely move on. I also use <first initial>
<last name> naming convention at most of my clients which makes it
harder to match an account name.

-- Owen Williams (SBS MVP)

> My Server Security Log recorded (138) 529 logon failure events during a 15
> minute interval. one failure about every 6-7 seconds.The user names were male
> and female first names.
>
> Is there a way to trace this to the source to find out who is doing this?
> Also, is there a way to lock out the intruder? A sample of the event follows.
> Thanking you in advance for your help.
>
> Security 529 2/20/2005 7:27 PM 24 *
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: crack
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: SERVER
> Caller User Name: SERVER$
> Caller Domain: domain
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 1828
> Transited Services: -
> Source Network Address: -
> Source Port: -

I had the same issue this morning. The Server Performance Report showed
exactly 138 Event 529.

Is there a way to tell if they were trying through RWW or OWA?

"Owen Williams [SBS MVP]" wrote:

> In article <767D318D-FF00-40BD-9E12->,
> says...
>
> Sounds like the same hacker was snooping around one of my clients. This
> morning's Server Performance Report showed exactly 138 Event 529.
> Investigation indicates an automated probe trying various first names
> (Dick, Jane, etc.) for account name.
>
> As Henry says, as long as you have a good password policy you should be
> fine. The hacker will most likely move on. I also use <first initial>
> <last name> naming convention at most of my clients which makes it
> harder to match an account name.
>
> -- Owen Williams (SBS MVP)
>
> > My Server Security Log recorded (138) 529 logon failure events during a 15
> > minute interval. one failure about every 6-7 seconds.The user names were male
> > and female first names.
> >
> > Is there a way to trace this to the source to find out who is doing this?
> > Also, is there a way to lock out the intruder? A sample of the event follows.
> > Thanking you in advance for your help.
> >
> > Security 529 2/20/2005 7:27 PM 24 *
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: crack
> > Domain:
> > Logon Type: 3
> > Logon Process: Advapi
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Workstation Name: SERVER
> > Caller User Name: SERVER$
> > Caller Domain: domain
> > Caller Logon ID: (0x0,0x3E7)
> > Caller Process ID: 1828
> > Transited Services: -
> > Source Network Address: -
> > Source Port: -
>

In article <89BD8148-F2D1-4C9D-B2CD->, chuckie126
@discussions.microsoft.com says...

> I had the same issue this morning. The Server Performance Report showed
> exactly 138 Event 529.
>
> Is there a way to tell if they were trying through RWW or OWA?

Not sure, but probably doesn't matter much. Unless you are using something
like RWW Guard (http://www.scorpionsoft.com/products/rww-guard/), the attack
mechanism is similar. This is why password policies are important.

-- Owen Williams [SBS MVP]

In article <ACD54AAA-05B6-43CB-945E->,
says...

> I am using complex passwords....I have not configured the lockout feature.
>
> Can I configure a lockout policy for the server itself? How does this work?
> If I lock the server will I be able to unlock it to do maintenance?

You should not need to do anything with account lockout - the out-of-box SBS
configuration has account lockout configured. It's in the Default Domain
Policy GPO (Computer Configuration | Windows Settings | Security Settings |
Account Policies | Account Lockout Policy).

-- Owen Williams [SBS MVP]

Hello Mike,

Thank you for kind update.

1. Enable complicated password policy is not same as using complicated
password for single or several user accounts. After you enable this policy
on Default Domain Controllers policy, every user account on SBS must meet
the complicated password request.

Note: you can find the Default Domain Controllers policy here:
SBS->Server Management console->Advanced Management->Group Policy
Management->Forest->Domains->SBS.local->Group Policy Objects

2. Configure account lockout policy.

The account lockout policy only effect on the user account, but not lockout
the whole server, you can user other account to logon SBS, and unlock this
account.

The policy settings:

Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10

It means: when someone enter wrong password 10 times of one account within
30 minutes (someone attempt the password), the account will lockout. Then
you can logon SBS with another Domain Admins account, open the lockout user
account properties in ADUC (Active Directory Users and Computers), under
the Account tab, clear the option Account is locked out, it will unlock the
account. This policy will stop the hacker unlimited attempt the password.

If you configure the policy on the Default Domain Controllers policy, the
policy will only enable on SBS.

3. For the port number in the error log.

If the Source Network Address in the log is an internal IP, the Source Port
will be random. The internal clients do not have limitation to account SBS.
If the Source Network Address in the log is an external IP, and the Source
Port are random. You have to check the router settings. Please contact your
router vendor for help.

Please perform the other steps in my previous reply.

I hope everything is going well.

If there's anything else I can do for you, please do not hesitate to let me
know.

Thank you and have a nice day,

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

================================================== ===
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
================================================== ===

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: 529 Logon Failures - 138 Events
| thread-index: AcepzOyWjcPfwP9aRxKm+gldvuNC2g==
| X-WBNR-Posting-Host: 207.46.19.197
| From: =?Utf-8?B?TWlrZSBH?= <>
| References: <767D318D-FF00-40BD-9E12->
<>
| Subject: RE: 529 Logon Failures - 138 Events
| Date: Fri, 8 Jun 2007 06:00:01 -0700
| Lines: 213
| Message-ID: <4E5C8B65-AA48-4D4E-B952->
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:42656
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| My router only forwards ports for Exchange mail, RWW, OWA and Terminal
| Server. I did not see any ports identified on in the event log failures.
How
| did they get through my router to my server? What port did they use???
Thanks
| again!
|
| "Terence Liu [MSFT]" wrote:
|
| > Hello Mike,
| >
| > Thank you for your post.
| >
| > According to your description, I understand that you get many 529 event
| > errors on your SBS server. If I have misunderstood the problem, please
| > don't hesitate to let me know.
| >
| > Based on my research, the behavior can happen when the machine password
is
| > not properly sync between SBS and internal clients, or the hacker
activity
| > that guessed the password. I suggest we try the following steps to see
if
| > we can resolve this issue:
| >
| > 1. Enable complicated password policy.
| >
| > Note: The Password Policy need to be configured in Default Domain
policy.
| >
| > We can configure the settings under:
| >
| > Computer Configuration\Windows Settings\Security Settings\Account
| > Policies\Password Policy
| >
| > 2. Configure account lockout policy.
| >
| > Generally, it is a best practices suggestion to set the Threshold value
to
| > 10 or higher. This is high enough to rule out user error and low enough
to
| > deter hackers, especially when the password complexity policy is
enabled.
| >
| > For medium security requirement, the recommended configurations are:
| >
| > Reset account lockout counter after: 30
| > Account lockout duration: 30
| > Account Lockout Threshold: 10
| >
| > For high security requirement, the recommendations are:
| >
| > Reset account lockout counter after: 30
| > Account lockout duration: 0
| > Account Lockout Threshold: 10
| >
| > For more information, please refer to:
| >
| > Account Passwords and Policies
| >
http://www.microsoft.com/technet/pro.../technologies/
| > security/bpactlck.mspx
| >
| > 3. Check your firewall to ensure that only the necessary ports are
opened.
| >
| > 4. Ensure the above settings have been successfully applied.
| >
| > 1) On the problematic SBS server, please run the following command to
| > refresh the group policy changes:
| >
| > GPUPDAGE /FORCE
| >
| > 2) Run SECPOL.MSC and check the above changed password, Account lockout
and
| > auditing policies to see their effective settings, and ensure that the
| > policies have been applied successfully.
| >
| > If the policies have been applied successfully, we should have enhanced
the
| > security protection of that server.
| >
| > 5. The issue may occur if the remote SBS server sends broadcast packets
to
| > the network. I suggest you change the "nolmhash" value to "0" in the
| > following registry key on the SBS server:
| >
| > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA
| >
| > Reboot the server for this change to take effect and check if the event
| > does not appear.
| >
| > 6. If the event still appears, go to
| >
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\lanmanserver\Parameters
| > and set "enablesecuritysignature" and "requiresecuritysignature" to
"0".
| > Reboot the server and check if everything is OK.
| >
| > 7. There are several running processes on the computer that will
attempt to
| > connect using the machine account.
| >
| > This behavior can happen when the machine password is not properly sync.
| >
| > In order to reset the machine account password of a domain controller
use:
| >
| > NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
| >
| > The syntax of this command is:
| > NETDOM RESETPWD /Server:domain-controller /UserD:user
/PasswordD:[password
| > | *]
| >
| > NETDOM RESETPWD Resets the machine account password for the domain
| > controller
| > on which this command is run. Currently there is no support for
resetting
| > the machine password of a remote machine or a member server. All
parameters
| > must be specified.
| >
| > /Server Name of a specific domain controller that should have
its
| > machine account password reset.
| >
| > /UserD User account used to make the connection with the domain
| > controller specified by the /Server argument.
| >
| > /PasswordD Password of the user account specified with /UserD. A
*
| > means
| > to prompt for the password
| >
| > After completing the command, reboot the server.
| >
| > If we can not resolve the issue after we perform the above steps,
please
| > kindly help me collect some information for further investigation:
| >
| > Save the security event log as evt files on the problematic machine and
| > send to my mailbox: v-
| >
| > Hope these steps will give you some help.
| >
| > Thanks and have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ================================================== ===
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities...s/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ================================================== ===
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: 529 Logon Failures - 138 Events
| > | thread-index: AcepV7e4NxSNDyb1TbGqNCpBlGz1gA==
| > | X-WBNR-Posting-Host: 207.46.193.207
| > | From: =?Utf-8?B?TWlrZSBH?= <>
| > | Subject: 529 Logon Failures - 138 Events
| > | Date: Thu, 7 Jun 2007 16:01:01 -0700
| > | Lines: 25
| > | Message-ID: <767D318D-FF00-40BD-9E12->
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGHUB02.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:42538
| > | NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | My Server Security Log recorded (138) 529 logon failure events during
a
| > 15
| > | minute interval. one failure about every 6-7 seconds.The user names
were
| > male
| > | and female first names.
| > |
| > | Is there a way to trace this to the source to find out who is doing
this?
| > | Also, is there a way to lock out the intruder? A sample of the event
| > follows.
| > | Thanking you in advance for your help.
| > |
| > | Security 529 2/20/2005 7:27 PM 24 *
| > | Logon Failure:
| > | Reason: Unknown user name or bad password
| > | User Name: crack
| > | Domain:
| > | Logon Type: 3
| > | Logon Process: Advapi
| > | Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| > | Workstation Name: SERVER
| > | Caller User Name: SERVER$
| > | Caller Domain: domain
| > | Caller Logon ID: (0x0,0x3E7)
| > | Caller Process ID: 1828
| > | Transited Services: -
| > | Source Network Address: -
| > | Source Port: -
| > |
| > |
| >
| >
|