Announcement

Collapse
No announcement yet.

Failure Audit Event 529 / Account Lockout

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Failure Audit Event 529 / Account Lockout

    Hi Guys,

    First off I'd like to say I'm not sure where to post this question here or security?

    One of our clients has an SBS 2003 box for the last 2 weeks they are being plagued by multiple remote log on attempts, Failure Audit Event ID 529 being logged and users bening locked out. Event Log lists :-

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: owner
    Domain: *CLIENTSDOMAIN*
    Logon Type: 10
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: SBS
    Caller User Name: SBS$
    Caller Domain: *CLIENTSDOMAIN*
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 608
    Transited Services: -
    Source Network Address: 88.247.223.164
    Source Port: 4450

    I started off by blocking the ip address on the router firewall but soon noticed that the ip address changes. I then started locking down open ports to try and work out which ports its coming in on, the only port open are now 25(smtp) & 3389(rdp).

    Is there anyway I can stop this from happening, I don't want to disable the lockout policy as It would just make it easier for the trial and error approach to gain access. Anyway to tell what its actually coming in on? Anything clever I can do on the firewall to help prevent?

    Many thanks

    Dave

  • #2
    Re: Failure Audit Event 529 / Account Lockout

    Originally posted by QuattroDave View Post
    Hi Guys,

    Anything clever I can do on the firewall to help prevent?

    Many thanks

    Dave
    You can block 3389..
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Failure Audit Event 529 / Account Lockout

      Thanks for your reply. Yes I could block 3389 but then I wouldnt be able to remote in... Is it RDP they are trying to get in on, if so I dont understand why various user account repeatedly get locked out when only my user account has RDP access...?

      hmmm I could do a port redirection from say 33389 to 3389... would that help??

      Many thanks

      Dave

      Comment


      • #4
        Re: Failure Audit Event 529 / Account Lockout

        Yeah they appear to be. that's what logon type 10 means.
        More info on the client IP here: http://www.projecthoneypot.org/ip_88.247.223.164
        In terms of port redirection that may be a bit of a deterrant for the novice attacker but by far not a solution.
        I would recommend using either a secure VPN solution or use RD gateway (443) or setup UAG with multifactor authentication and publish the TS there.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Failure Audit Event 529 / Account Lockout

          Close 3389 and open 4125 so you can use RWW.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment

          Working...
          X