event id 529 logon type 3 - lots of them

[Gary Massengale]

I saw a ton of these, all early this morning, during a short period of time,
before most users are even in the office.



is there any way I can find out where this is coming from? what
workstation or if it is over the internet?









Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 4/26/2005

Time: 6:44:06 AM

User: NT AUTHORITY\SYSTEM

Computer: myserver

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: connect

Domain:

Logon Type: 3

Logon Process: Advapi

Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: myserver

 

[Steven L Umbach]

What server applications were running on this server - IIS, Exchange,?? From
what you describe it probably was from an external source and if your
firewall logs network traffic you may want to see if you see a lot of
activity from a particular IP address at the times that these failed logon
events were recorded. If you have auditing of account logon events enabled
in Domain Controller Security policy you would want to check the security
logs of the domain controllers to see if there are any failure for account
logon events at the same times that may give more information including
computer name. I have seen other posts with similar behavior and when
Logon Process: Advapi was show it was often an Exchange server. Be sure
to check your firewall for proper configuration and you can go to a self
scan site such as http://scan.sygatetech.com/ to see if your firewall
security configuration looks to be what is expected.--- Steve