Getting lot's of security errors in Security Log - Event ID 680 & 529

Discussion in 'Windows Small Business Server' started by Mike Webb, Apr 24, 2007.

  1. Mike Webb

    Mike Webb Guest

    Running SBS 2003 Premium, ISA 2004, SQL, WSUS, 2 NIC's and a router,
    Symantec Backup Exec 11d, dynamic IP, DDNS service through dyndns.org.
    ============================
    My weekly Server Report has over 5,000 logon errors for the Administrator
    account. Checking the logs and their links, seems to be a bad password.
    Can't tell where or what service, so I don't know where to go from here. I
    suspect I'm seeing hack attempts.

    Any advice/comments?
     
    Mike Webb, Apr 24, 2007
    #1
    1. Advertisements

  2. Hello Mike,

    Thank you for your post.

    According to your description, I understand that you get many 529 and 680
    event errors on your SBS server. If I have misunderstood the problem,
    please don't hesitate to let me know.

    Based on my research, I suggest we try the following steps to see if we can
    resolve this issue:

    For the event 529:

    First, I have to set expectation that this may be a hacker activity that
    guessed the administrator password. I suggest we try the following steps to
    improve your SBS security level:

    1. Enable complicated password policy.

    Note: The Password Policy need to be configured in Default Domain policy.

    We can configure the settings under:

    Computer Configuration\Windows Settings\Security Settings\Account
    Policies\Password Policy

    2. Configure account lockout policy.

    Generally, it is a best practices suggestion to set the Threshold value to
    10 or higher. This is high enough to rule out user error and low enough to
    deter hackers, especially when the password complexity policy is enabled.

    For medium security requirement, the recommended configurations are:

    Reset account lockout counter after: 30
    Account lockout duration: 30
    Account Lockout Threshold: 10

    For high security requirement, the recommendations are:

    Reset account lockout counter after: 30
    Account lockout duration: 0
    Account Lockout Threshold: 10

    For more information, please refer to:

    Account Passwords and Policies
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
    security/bpactlck.mspx

    3. Check your firewall to ensure that only the necessary ports are opened.

    4. Ensure the above settings have been successfully applied.

    1) On the problematic SBS server, please run the following command to
    refresh the group policy changes:

    GPUPDAGE /FORCE

    2) Run SECPOL.MSC and check the above changed password, Account lockout and
    auditing policies to see their effective settings, and ensure that the
    policies have been applied successfully.

    If the policies have been applied successfully, we should have enhanced the
    security protection of that server.

    5. The issue may occur if the remote SBS server sends broadcast packets to
    the network. I suggest you change the "nolmhash" value to "0" in the
    following registry key on the SBS server:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

    Reboot the server for this change to take effect and check if the event
    does not appear.

    6. If the event still appears, go to
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Parameters
    and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
    Reboot the server and check if everything is OK.

    7. There are several running processes on the computer that will attempt to
    connect using the machine account.

    This behavior can happen when the machine password is not properly sync.

    In order to reset the machine account password of a domain controller use:

    NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*

    The syntax of this command is:
    NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password
    | *]

    NETDOM RESETPWD Resets the machine account password for the domain
    controller
    on which this command is run. Currently there is no support for resetting
    the machine password of a remote machine or a member server. All parameters
    must be specified.

    /Server Name of a specific domain controller that should have its
    machine account password reset.

    /UserD User account used to make the connection with the domain
    controller specified by the /Server argument.

    /PasswordD Password of the user account specified with /UserD. A *
    means
    to prompt for the password

    After completing the command, reboot the server.

    For the event 680:

    Based on my research, the specified event does not mean real issue on the
    client side in most of situations. The most possible reason for this issue
    is a service or application on a certain computer in the domain is still
    trying to use the old password of this account for domain authentication.
    Also, it could be a normal behavior since the SBS server has some services
    open to the internet. For example, when a user wrongly input the
    username/password, the event will also be triggered in some cases.
    Therefore, you can simply ignore it if there is no business influence.

    Suggestions:

    1. Please refer to this KB article to reset the security channel on the SBS
    Server:

    830069 You receive the "The target principal name is incorrect" error
    message
    http://support.microsoft.com/?id=830069

    2. You can check the time/timezone setting on these clients and the SBS box
    to verify whether the time on them have been synced.

    3. Please follow the steps below to disable auditing policies:

    a. Click Start -> All Programs -> Administrative Tools -> Default Domain
    Security Policy.

    b. Expand Security Settings -> Local Policies -> Audit Policy.

    c. In the right pane, double click the auditing policy. Let's disable all
    event auditing.

    If we can not resolve the issue after we perform the above steps, please
    kindly help me collect some information for further investigation:

    Save the security event log as evt files on the problematic machine and
    send to my mailbox:

    Hope these steps will give you some help.

    Thanks and have a nice day!

    Best regards,

    Terence Liu(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Mike Webb" <>
    | Subject: Getting lot's of security errors in Security Log - Event ID 680
    & 529
    | Date: Tue, 24 Apr 2007 11:09:17 -0500
    | Lines: 16
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
    | Message-ID: <#>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: 70-41-134-198.cust.wildblue.net 70.41.134.198
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:32349
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Running SBS 2003 Premium, ISA 2004, SQL, WSUS, 2 NIC's and a router,
    | Symantec Backup Exec 11d, dynamic IP, DDNS service through dyndns.org.
    | ============================
    | My weekly Server Report has over 5,000 logon errors for the Administrator
    | account. Checking the logs and their links, seems to be a bad password.
    | Can't tell where or what service, so I don't know where to go from here.
    I
    | suspect I'm seeing hack attempts.
    |
    | Any advice/comments?
    |
    | --
    | Mike Webb
    | Platte River Whooping Crane Maintenance Trust, Inc.
    | a 501 (c)(3) conservation non-profit organization
    |
    |
    |
     
    Terence Liu [MSFT], Apr 25, 2007
    #2
    1. Advertisements

  3. Mike Webb

    Mike Webb Guest

    I;ll do this and report back, thanks!

     
    Mike Webb, Apr 25, 2007
    #3
  4. Hello Mike,

    Thank you for kind reply.

    I was just writing to say that I hope everything is going well.

    Please do not hesitate to let me know if there's anything else I can do for
    you.

    Thank you and have a nice day,

    Best regards,

    Terence Liu(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Mike Webb" <>
    | References: <#>
    <t2#>
    | Subject: Re: Getting lot's of security errors in Security Log - Event ID
    680 & 529
    | Date: Wed, 25 Apr 2007 07:58:47 -0500
    | Lines: 243
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
    | Message-ID: <#>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: 70-41-134-198.cust.wildblue.net 70.41.134.198
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:32557
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | I;ll do this and report back, thanks!
    |
    | | > Hello Mike,
    | >
    | > Thank you for your post.
    | >
    | > According to your description, I understand that you get many 529 and
    680
    | > event errors on your SBS server. If I have misunderstood the problem,
    | > please don't hesitate to let me know.
    | >
    | > Based on my research, I suggest we try the following steps to see if we
    | > can
    | > resolve this issue:
    | >
    | > For the event 529:
    | >
    | > First, I have to set expectation that this may be a hacker activity that
    | > guessed the administrator password. I suggest we try the following
    steps
    | > to
    | > improve your SBS security level:
    | >
    | > 1. Enable complicated password policy.
    | >
    | > Note: The Password Policy need to be configured in Default Domain
    policy.
    | >
    | > We can configure the settings under:
    | >
    | > Computer Configuration\Windows Settings\Security Settings\Account
    | > Policies\Password Policy
    | >
    | > 2. Configure account lockout policy.
    | >
    | > Generally, it is a best practices suggestion to set the Threshold value
    to
    | > 10 or higher. This is high enough to rule out user error and low enough
    to
    | > deter hackers, especially when the password complexity policy is
    enabled.
    | >
    | > For medium security requirement, the recommended configurations are:
    | >
    | > Reset account lockout counter after: 30
    | > Account lockout duration: 30
    | > Account Lockout Threshold: 10
    | >
    | > For high security requirement, the recommendations are:
    | >
    | > Reset account lockout counter after: 30
    | > Account lockout duration: 0
    | > Account Lockout Threshold: 10
    | >
    | > For more information, please refer to:
    | >
    | > Account Passwords and Policies
    | >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
    | > security/bpactlck.mspx
    | >
    | > 3. Check your firewall to ensure that only the necessary ports are
    opened.
    | >
    | > 4. Ensure the above settings have been successfully applied.
    | >
    | > 1) On the problematic SBS server, please run the following command to
    | > refresh the group policy changes:
    | >
    | > GPUPDAGE /FORCE
    | >
    | > 2) Run SECPOL.MSC and check the above changed password, Account lockout
    | > and
    | > auditing policies to see their effective settings, and ensure that the
    | > policies have been applied successfully.
    | >
    | > If the policies have been applied successfully, we should have enhanced
    | > the
    | > security protection of that server.
    | >
    | > 5. The issue may occur if the remote SBS server sends broadcast packets
    to
    | > the network. I suggest you change the "nolmhash" value to "0" in the
    | > following registry key on the SBS server:
    | >
    | > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
    | >
    | > Reboot the server for this change to take effect and check if the event
    | > does not appear.
    | >
    | > 6. If the event still appears, go to
    | >
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Parameters
    | > and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
    | > Reboot the server and check if everything is OK.
    | >
    | > 7. There are several running processes on the computer that will
    attempt
    | > to
    | > connect using the machine account.
    | >
    | > This behavior can happen when the machine password is not properly sync.
    | >
    | > In order to reset the machine account password of a domain controller
    use:
    | >
    | > NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
    | >
    | > The syntax of this command is:
    | > NETDOM RESETPWD /Server:domain-controller /UserD:user
    /PasswordD:[password
    | > | *]
    | >
    | > NETDOM RESETPWD Resets the machine account password for the domain
    | > controller
    | > on which this command is run. Currently there is no support for
    resetting
    | > the machine password of a remote machine or a member server. All
    | > parameters
    | > must be specified.
    | >
    | > /Server Name of a specific domain controller that should have
    its
    | > machine account password reset.
    | >
    | > /UserD User account used to make the connection with the domain
    | > controller specified by the /Server argument.
    | >
    | > /PasswordD Password of the user account specified with /UserD. A *
    | > means
    | > to prompt for the password
    | >
    | > After completing the command, reboot the server.
    | >
    | > For the event 680:
    | >
    | > Based on my research, the specified event does not mean real issue on
    the
    | > client side in most of situations. The most possible reason for this
    issue
    | > is a service or application on a certain computer in the domain is still
    | > trying to use the old password of this account for domain
    authentication.
    | > Also, it could be a normal behavior since the SBS server has some
    services
    | > open to the internet. For example, when a user wrongly input the
    | > username/password, the event will also be triggered in some cases.
    | > Therefore, you can simply ignore it if there is no business influence.
    | >
    | > Suggestions:
    | >
    | > 1. Please refer to this KB article to reset the security channel on the
    | > SBS
    | > Server:
    | >
    | > 830069 You receive the "The target principal name is incorrect" error
    | > message
    | > http://support.microsoft.com/?id=830069
    | >
    | > 2. You can check the time/timezone setting on these clients and the SBS
    | > box
    | > to verify whether the time on them have been synced.
    | >
    | > 3. Please follow the steps below to disable auditing policies:
    | >
    | > a. Click Start -> All Programs -> Administrative Tools -> Default Domain
    | > Security Policy.
    | >
    | > b. Expand Security Settings -> Local Policies -> Audit Policy.
    | >
    | > c. In the right pane, double click the auditing policy. Let's disable
    all
    | > event auditing.
    | >
    | > If we can not resolve the issue after we perform the above steps, please
    | > kindly help me collect some information for further investigation:
    | >
    | > Save the security event log as evt files on the problematic machine and
    | > send to my mailbox:
    | >
    | > Hope these steps will give you some help.
    | >
    | > Thanks and have a nice day!
    | >
    | > Best regards,
    | >
    | > Terence Liu(MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    | > the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    | > doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    | > rights.
    | >
    | > --------------------
    | > | From: "Mike Webb" <>
    | > | Subject: Getting lot's of security errors in Security Log - Event ID
    680
    | > & 529
    | > | Date: Tue, 24 Apr 2007 11:09:17 -0500
    | > | Lines: 16
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
    | > | X-RFC2646: Format=Flowed; Original
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
    | > | Message-ID: <#>
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | NNTP-Posting-Host: 70-41-134-198.cust.wildblue.net 70.41.134.198
    | > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
    | > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:32349
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | Running SBS 2003 Premium, ISA 2004, SQL, WSUS, 2 NIC's and a router,
    | > | Symantec Backup Exec 11d, dynamic IP, DDNS service through dyndns.org.
    | > | ============================
    | > | My weekly Server Report has over 5,000 logon errors for the
    | > Administrator
    | > | account. Checking the logs and their links, seems to be a bad
    password.
    | > | Can't tell where or what service, so I don't know where to go from
    here.
    | > I
    | > | suspect I'm seeing hack attempts.
    | > |
    | > | Any advice/comments?
    | > |
    | > | --
    | > | Mike Webb
    | > | Platte River Whooping Crane Maintenance Trust, Inc.
    | > | a 501 (c)(3) conservation non-profit organization
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Terence Liu [MSFT], Apr 26, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.