Event id 529

G

Guest

Hello to All:
Problem:
No domain controllers, just windows xp machines in a workgroup connected to
the Internet behind a secure DMZ, firewall, and proxy server. I have listed
just a couple of the machines in the workgroup, but there are about half a
dozen more in the workgroup that show up in the event log with event id 529
as the shown below.

I setup a brand new pc right out the box and as you can guess a day later it
shows up in my security logs (event id 529). All pc's including mine are xp
boxes.

This occurs on a daily basis, at least 7 or 8 times a day with different
pc's in the workgroup. It is not causing a problem, but from a technical
view I would like to know why this is happening.

Virus def's are set to update 3 times a day. Virus scans are done once in
the morning and once in the evening. Windows updates are applied on a
regular basis.

I have been over my system with a fine tooth comb and found nothing. I have
read several threads from a google search that are experiencing the same
problem, but no solid solution. Of course every network is different. Only
common denominator is Microsoft OS (xp, w2k, etc etc)

As one of the network admins here with the company and 10 years in the
network support field (MCSE, A+ certified, CCNA) I'm pretty sure I do not
have an application installed that says hey come and logon to my pc why don't
ya.

My fellow techies of the world, am I missing something here? Thanks

1.) Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/10/2007
Time: 1:40:25 PM
User: NT AUTHORITY\SYSTEM
Computer: HMORRISPC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: jbauch
Domain: JBAUCHPCC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: JBAUCHPCC

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

------------------------------------------------------------------------------------------
2.)
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/9/2007
Time: 4:48:48 PM
User: NT AUTHORITY\SYSTEM
Computer: HMORRISPC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Emily
Domain: EMISRACHPC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: EMISRACHPC

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
J

Jose

10 years of experience huh? :)

Saw such a thing once when my XP box was connected directly to the internet
without an intermediate router/firewall+nat device. I guess these are
infected win boxes on the internet doing scans for other vulnerable boxes
and trying to login with some standard/random usernames/passwords.

Are your machines accessible through the internet? Don't ask me - you should
know better. What comes to my mind for troubleshooting this is to enable
windows firewall, enable logging and, after 529 event appears, take a look
in the firewall log to see where it is coming from. Of course, you could do
that with any sniffer/packet capturing tool like Ethereal or Network
Monitor, but I think as a first step windows firewall would be easier to
use.

After you see the source of this request, maybe this situation will clear
out or maybe you will be able to decide on additional troubleshooting steps.
 
G

Guest

Hi Jose :)
Are your machines accessible through the internet? Don't ask me - you should
know better.

No I won't ask you !!!

The machines are not accessible from the Internet. There is this little
thing called ACL that only allows connections that are "established" from the
inside source. Everthing else gets "dropped". Yea, I took a look at the
Pfirewall.log before posting and nothing. I don't have access to my Network
Observer software at the moment, but that will be my next step.

Thanks for asking though.
--
Harv-man
Network Support


Jose said:
10 years of experience huh? :)

Saw such a thing once when my XP box was connected directly to the internet
without an intermediate router/firewall+nat device. I guess these are
infected win boxes on the internet doing scans for other vulnerable boxes
and trying to login with some standard/random usernames/passwords.

Are your machines accessible through the internet? Don't ask me - you should
know better. What comes to my mind for troubleshooting this is to enable
windows firewall, enable logging and, after 529 event appears, take a look
in the firewall log to see where it is coming from. Of course, you could do
that with any sniffer/packet capturing tool like Ethereal or Network
Monitor, but I think as a first step windows firewall would be easier to
use.

After you see the source of this request, maybe this situation will clear
out or maybe you will be able to decide on additional troubleshooting steps.
 
J

Jose

Just to be sure, did you enable logging of both dropped packets and
successfull connects in Windows Firewall? If you did and still pfirewall.log
is empty, then I guess you could use packet sniffer (I mentioned a few in my
last post, but I'm sure you already have used them before). You will need to
look for these ports - they are used for user network logon:
- Microsoft-DS traffic (445/tcp, 445/udp)
- Kerberos authentication protocol (88/tcp, 88/udp)
- Lightweight Directory Access Protocol (LDAP) ping (389/udp)

Of course, in the begining it would be good for you to see what is the
networked user logon pattern, ie start the sniffer (or log packets with a
firewall or any other means) on machine A and try to logon to it from
machine B.

By the way, I guess Network Observer is some software installed on your
firewall that is protecting you from the internet? However, this way you
won't see any activity that is going on in your internal network, unless bad
guys from internal network try to connect outside too and you log all TCP
SYN packets arriving from internal net. This way, network sniffer on your
internal network would be the ultimate solution for catching bad guys ;)

If you succeed identifying the problem, please let us all know - I'm very
thrilled ;)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top