Security Event ID 529 & 681 / source= outside domains

[Tim S.]

I have a Windows 2000 network running in mixed mode
(mostly WIN2K servers) and all WIN2K desktops. We are a
state agency that is part of the larger states forest. I
imported and implemented the securedc.inf group security
policy on the network two days ago. Now I notice that
some of my WIN2K my servers are generating Security Event
IDs 529 and 681 in the Event logs. I found out that these
events are recording unsuccessful authentications /
logins. They were probably happening all along but the new
group policy is recording them. The problem is that all of
these events (529 and 681) are being generated by two
servers outside of my domain. I spoke with the admins for
the other domains and they have no idea what is going on.
They say these servers are secured in server rooms with
restricted access so I am guessing that someone is not
trying to hack into my network. The domains involved have
no relationship with our agency and although I can see the
domains in Network Neighborhood I do not have access to
them and vise versa. My question is what is happening and
why only these tow servers. There are over a 1000 servers
in the forest so there must be something configured
incorrectly on these two otherwise why wouldn't the other
servers be generating the events as well. The logs are
listed below.

/21/2004 11:36:37 AM Security
Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM
TEST_REGION123 "Logon Failure:
Reason: Unknown user name or bad password
User Name: SVC_Profile
Domain: EPS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: EPS-INF-PAR-001 "

4/21/2004 11:36:37 AM Security
Failure Audit Account Logon 681 NT AUTHORITY\SYSTEM
TEST_REGION123 The logon to account: SVC_Profile
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: EPS-INF-PAR-001
failed. The error code was: 3221225572

 

[Steven L Umbach]

Very hard to say why when you can not examine those remote machines
yourself. Just because they are locked away is no reason for the other
domain admins to assume those computers are not compromised. Locked up
computers are compromised through a network connection all the time, though
it does not mean they are compromised. Possibly there could be a
misconfigured/old mapped drive or some sort of a script/application running
including wrong computers as targerts for action. Since you have no power in
that domain there is not much you can do unless there is a higher authority
to appeal to. At the very least the other domain admins should check Event
Viewer on those two servers for any pertinent errors, review configuration,
and check that virus definitions are current and there are regular virus
scans.

Based on the name of the user being used in your failed logons, it does not
appear to be a concerted hack attempt which would usually use the
administrator account or other legitimate user name. Usually in hacks, the
passwords are bad and not the user name unless they are trying to guess a
renamed administrator account or the hacker is confident they have a good
password.

If the user name in the failed attempts does not change and the events show
consistently on the same computers, I doubt you have to much to worry about
except being annoyed. You may want to ask that domain admin if the user name
being used is familiar to him and may help jog his memory. --- Steve