event id 529 logon failure

[dave]

on a windows 2000 server sp3 with exchange 5.5 am
receiving in the security event log id 529 logon failure.
the user's on these are users that don't exist in our
domain. MS tech support says this could be caused by the
sp3 and some hotfixes and not an intrusion attempt. Has
anybody experienced this and what was the solution to the
problem?

 

[Steven L Umbach]

Here is a link to a user describing this happening to him that results from other
Exchange servers showing up in his security log in Event ID 529. You may also want to
post in an Exchange newsgroup to see if Exchange gurus have seen this.

http://www.examnotes.net/archive78-2004-3-77611.html -- no solution though.

Otherwise verify that your firewall is configured correctly in that it allows only
authorized uninitiated traffic through it from the internet - if any. The best way
would be to scan from the internet your self. You can use one of the self scan sites
for a quick check such as http://scan.sygatetech.com/ . In particular ports 23, 139
and 445 open would be a high risk vulnerability and port 3389 used for Terminal
Services can also be a backdoor. It is a good idea to have an account lockout policy
for the domain with a threshold of no less than ten. Failed logons in the security
log along with unexplained account lockouts can be an indication of hacking
ttempts. --- Steve