Event ID 529, NTLMSSP error from a foreign computer
guardi...@yahoo.com
the Security log --
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/5/2008
Time: 9:53:31 AM
User: NT AUTHORITY\SYSTEM
Computer: SBP01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: OCW2K3$
Domain: OTCARR
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: OCW2K3
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
This appears to be a failed login attempt from the system account of a
computer called "OCW2K3". There is no computer by this name on the
local network. This error occured several times over the span of 4
days.
Questions:
1.) Is it correct to say that this is a hacking attempt from across
the internet?
2.) If it is, what kind of login attempt would it be? I've tried
fake logins to the SBS server via Remote Web Workplace, VPN, and OWA,
but have not been able to reproduce this error message.
Thanks.
Matt
Cliff Galiher
outside. I'd be looking internal...an unsecured wireless access point, or
somebody plugging a laptop into an unsecured port, etc.
-Cliff
<guardi...@yahoo.com> wrote in message
news:4bd20545-51ab-455e...@d77g2000hsb.googlegroups.com...
![Terence Liu [MSFT]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Terence Liu [MSFT]
Thank you for your post. Let's also thank Cliff for the good input.
According to your description, I understand that you get some 529 event
errors on your SBS server. If I have misunderstood the problem, please
don't hesitate to let me know.
Based on my research, the behavior can happen when the SBS and client
computer infected by virus/worm or when the machine password is not
properly sync between SBS and internal clients, or the hacker activity that
guessed the password from external. We may unable to completely resolve
this issue, but we can reduce your SBS risk.
I suggest we try the following steps to see if we can resolve this issue:
1. Please install latest update and hotfix on SBS and all internal clients,
meanwhile, install antivirus software on all computers and do full scan.
2. Ensure you have a firewall before SBS. Then, only forward necessary
ports to SBS:
25 (SMTP)
443 (HTTPS)
444 (if you published Companyweb)
4125 (RWW)
1723 (if you enabled PPTP VPN)
3. Enable complicated password policy.
Note: The Password Policy need to be configured in Default Domain policy.
We can configure the settings under:
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
4. Configure account lockout policy.
Generally, it is a best practices suggestion to set the Threshold value to
10 or higher. This is high enough to rule out user error and low enough to
deter hackers, especially when the password complexity policy is enabled.
For medium security requirement, the recommended configurations are:
Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10
For high security requirement, the recommendations are:
Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10
For more information, please refer to:
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
5. Check your firewall to ensure that only the necessary ports are opened.
6. Ensure the above settings have been successfully applied.
1) On the problematic SBS server, please run the following command to
refresh the group policy changes:
GPUPDAGE /FORCE
2) Run SECPOL.MSC and check the above changed password, Account lockout and
auditing policies to see their effective settings, and ensure that the
policies have been applied successfully.
If the policies have been applied successfully, we should have enhanced the
security protection of that server.
7. The issue may occur if the remote SBS server sends broadcast packets to
the network. I suggest you change the "nolmhash" value to "0" in the
following registry key on the SBS server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Reboot the server for this change to take effect and check if the event
does not appear.
8. If the event still appears, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Parameters
and set "enablesecuritysignature" and "requiresecuritysignature" to "0".
Reboot the server and check if everything is OK.
9. There are several running processes on the computer that will attempt to
connect using the machine account.
This behavior can happen when the machine password is not properly sync.
In order to reset the machine account password of a domain controller use:
NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
The syntax of this command is:
NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password
| *]
NETDOM RESETPWD Resets the machine account password for the domain
controller
on which this command is run. Currently there is no support for resetting
the machine password of a remote machine or a member server. All parameters
must be specified.
/Server Name of a specific domain controller that should have its
machine account password reset.
/UserD User account used to make the connection with the domain
controller specified by the /Server argument.
/PasswordD Password of the user account specified with /UserD. A *
means
to prompt for the password
After completing the command, reboot the server.
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: guardi...@yahoo.com
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Event ID 529, NTLMSSP error from a foreign computer
| Date: Mon, 12 May 2008 08:22:36 -0700 (PDT)
| Organization: http://groups.google.com
| Lines: 44
| Message-ID:
<4bd20545-51ab-455e...@d77g2000hsb.googlegroups.com>
| NNTP-Posting-Host: 208.255.69.146
| Mime-Version: 1.0
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| X-Trace: posting.google.com 1210605757 20443 127.0.0.1 (12 May 2008
15:22:37 GMT)
| X-Complaints-To: groups...@google.com
| NNTP-Posting-Date: Mon, 12 May 2008 15:22:37 +0000 (UTC)
| Complaints-To: groups...@google.com
| Injection-Info: d77g2000hsb.googlegroups.com;
posting-host=208.255.69.146;
| posting-account=VbK6YQkAAADkLeOzhEI5NUlOd7BbuHqT
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
NET
| CLR 1.1.4322),gzip(gfe),gzip(gfe)
| Bytes: 2290
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
m!postnews.google.com!d77g2000hsb.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:107261
| X-Tomcat-NG: microsoft.public.windows.server.sbs