Domain Security

[Guest]

I currently have a domain with 30 clients. Recently one of the users somehow
ran across their Administrative tools in the control panel on their Windows
XP Professional machines. They happen to look in the event viewer (not a
place a user should be in this case). He happen to see a couple Failure
audits, mainly the same time he goes to lunch. It's event id 529. He then
proceeded to tell all the people except for the person's name that is in the
event. As it turns out, only 3 workstations have this issue. Human
Resources, Payroll, and the owner of the company. Now it's become a question
of "is he trying to hack us?". According to most Microsoft answers, it's
nothing to be worried about, but now they want a better answer. I do not
have an answer for this. Can someone help me out?

 

[Guest]

Let me mention that it is 1 user in the failure audit. Both his Workstation
and his Laptop are showing up. All the systems that have this error are
running SP2 with all the security updates.

-Forgot to mention-

 

[Leythos]

I currently have a domain with 30 clients. Recently one of the users somehow
ran across their Administrative tools in the control panel on their Windows
XP Professional machines. They happen to look in the event viewer (not a
place a user should be in this case). He happen to see a couple Failure
audits, mainly the same time he goes to lunch. It's event id 529. He then
proceeded to tell all the people except for the person's name that is in the
event. As it turns out, only 3 workstations have this issue. Human
Resources, Payroll, and the owner of the company. Now it's become a question
of "is he trying to hack us?". According to most Microsoft answers, it's
nothing to be worried about, but now they want a better answer. I do not
have an answer for this. Can someone help me out?

http://www.windowsitpro.com/Article/ArticleID/38309/38309.html

http://www.eventid.net/display.asp?eventid=529&eventno=1
&source=Security&phase=1

http://www.experts-exchange.com/Security/Win_Security/Q_20903608.html

 

[Guest]

Thank you for your reply. I have read all these articles, but I still have
the CEO of the company breathing down my neck for answers. He doesn't want
to hear "Microsoft says its something that can be ignored".
I have to come up with something

Thanks in advance.

 

[Pheylan]

Thank you for your reply. I have read all these articles, but I still have
the CEO of the company breathing down my neck for answers. He doesn't want
to hear "Microsoft says its something that can be ignored".
I have to come up with something

Thanks in advance.

Could you post the content of the Event, obfuscating anything sensitive?
It could help to have some more specifics about what user type and
which services are reacting.

 

[Robert Moir]

Thank you for your reply. I have read all these articles, but I
still have the CEO of the company breathing down my neck for answers.
He doesn't want to hear "Microsoft says its something that can be
ignored". I have to come up with something

What exactly IS the CEO looking for? Microsoft made the software and on the
whole are in the best place to give a definitive answer on how it works?

--
--
Rob Moir, MS MVP
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked "Have you
checked (event viewer / syslog)".

 

[Steven L Umbach]

What computers are showing the logon failures - the three you mention? If
you see logon failures in the security log of a computer that show a
username and source computer then that may mean that someone is trying to
logon using another user's credentials from the computer specified. What is
the logon type - 1, 3, or 10 maybe? It would help if you can post one of
those events. There were issues pre SP2 with event ID 529 being recorded
with no malicious activity but that would generally not be limited to a
single user. --- Steve

 

[Guest]

I currently have a domain with 30 clients. Recently one of the users somehow
ran across their Administrative tools in the control panel on their Windows
XP Professional machines. They happen to look in the event viewer (not a
place a user should be in this case). He happen to see a couple Failure
audits, mainly the same time he goes to lunch. It's event id 529. He then
proceeded to tell all the people except for the person's name that is in the
event. As it turns out, only 3 workstations have this issue. Human
Resources, Payroll, and the owner of the company. Now it's become a question
of "is he trying to hack us?". According to most Microsoft answers, it's
nothing to be worried about, but now they want a better answer. I do not
have an answer for this. Can someone help me out?

 

[Guest]

Type = FailureAud Event ID:529
User: NT AUTHORITY\SYSTEM
Username = Administrator
Computer - XXXX
Reason: Unknown user name or bad password
Domain = XXXXXX
Logon Type = 3
Logon Process = NtLmSsp
Authentication Package: Microsoft_Authentication_package_v1_0
Workstion Name: John Doe

*The CEO is in panic because the person that the event viewer is showing is
"untrusted" or in other words, too good at his job to let go. The person's
name that is showing up is their web developer also, possibly running IIS on
his machine.
Thanks for any help. I have to get this guy off of my rear and get on with
other things that need done.

 

[Steven L Umbach]

Well according to the Event ID someone is trying to access the computer as
administrator via the network from computer John Doe and failed probably
because they did not know the correct password. So I don't know how you
think "administrator" is a particular individual. If these failed logons are
not persistent and numerous I would not worry too much about it [assuming
you enforce use of strong passwords] and IMHO do not necessarily prove a
whole lot other than maybe someone was curious about accessing another
computer which should not happen with decent security precautions. Sometimes
it is just best to question someone as in "do you have any idea why I am
seeing failed logon attempts to the administrator account on computer x from
your computer" and then the problem may go away as soon as the person knows
that you are being vigilant with the security logs. On the other hand if he
wrongly or incorrectly fires [poor evidence or documentation] someone he
could have a lawsuit on his hands. If the user in question [or a user
impersonating him] however is truly determined in obtaining confidential
data you may have a problem on your hands and the user may be more careful
next time and try other means. So always be vigilant. --- Steve

 

[Guest]

Thanks Steve,
I will do what I can to take care of this issue.
Thanks again,

Well according to the Event ID someone is trying to access the computer as
administrator via the network from computer John Doe and failed probably
because they did not know the correct password. So I don't know how you
think "administrator" is a particular individual. If these failed logons are
not persistent and numerous I would not worry too much about it [assuming
you enforce use of strong passwords] and IMHO do not necessarily prove a
whole lot other than maybe someone was curious about accessing another
computer which should not happen with decent security precautions. Sometimes
it is just best to question someone as in "do you have any idea why I am
seeing failed logon attempts to the administrator account on computer x from
your computer" and then the problem may go away as soon as the person knows
that you are being vigilant with the security logs. On the other hand if he
wrongly or incorrectly fires [poor evidence or documentation] someone he
could have a lawsuit on his hands. If the user in question [or a user
impersonating him] however is truly determined in obtaining confidential
data you may have a problem on your hands and the user may be more careful
next time and try other means. So always be vigilant. --- Steve

Type = FailureAud Event ID:529
User: NT AUTHORITY\SYSTEM
Username = Administrator
Computer - XXXX
Reason: Unknown user name or bad password
Domain = XXXXXX
Logon Type = 3
Logon Process = NtLmSsp
Authentication Package: Microsoft_Authentication_package_v1_0
Workstion Name: John Doe

*The CEO is in panic because the person that the event viewer is showing
is
"untrusted" or in other words, too good at his job to let go. The
person's
name that is showing up is their web developer also, possibly running IIS
on
his machine.
Thanks for any help. I have to get this guy off of my rear and get on
with
other things that need done.

 

[Guest]

Turns out that it is nothing.
After talking to the user, it seems that everytime he would click on
"network neighborhood" it would send this error to workstations. Must be a
bug somewhere in Microsoft. I will look for some kind of fix.
Thanks to those who helped.

Thanks Steve,
I will do what I can to take care of this issue.
Thanks again,

Well according to the Event ID someone is trying to access the computer as
administrator via the network from computer John Doe and failed probably
because they did not know the correct password. So I don't know how you
think "administrator" is a particular individual. If these failed logons are
not persistent and numerous I would not worry too much about it [assuming
you enforce use of strong passwords] and IMHO do not necessarily prove a
whole lot other than maybe someone was curious about accessing another
computer which should not happen with decent security precautions. Sometimes
it is just best to question someone as in "do you have any idea why I am
seeing failed logon attempts to the administrator account on computer x from
your computer" and then the problem may go away as soon as the person knows
that you are being vigilant with the security logs. On the other hand if he
wrongly or incorrectly fires [poor evidence or documentation] someone he
could have a lawsuit on his hands. If the user in question [or a user
impersonating him] however is truly determined in obtaining confidential
data you may have a problem on your hands and the user may be more careful
next time and try other means. So always be vigilant. --- Steve

Type = FailureAud Event ID:529
User: NT AUTHORITY\SYSTEM
Username = Administrator
Computer - XXXX
Reason: Unknown user name or bad password
Domain = XXXXXX
Logon Type = 3
Logon Process = NtLmSsp
Authentication Package: Microsoft_Authentication_package_v1_0
Workstion Name: John Doe

*The CEO is in panic because the person that the event viewer is showing
is
"untrusted" or in other words, too good at his job to let go. The
person's
name that is showing up is their web developer also, possibly running IIS
on
his machine.
Thanks for any help. I have to get this guy off of my rear and get on
with
other things that need done.













:



:

I currently have a domain with 30 clients. Recently one of the users
somehow
ran across their Administrative tools in the control panel on their
Windows
XP Professional machines. They happen to look in the event viewer (not
a
place a user should be in this case). He happen to see a couple
Failure
audits, mainly the same time he goes to lunch. It's event id 529. He
then
proceeded to tell all the people except for the person's name that is
in the
event. As it turns out, only 3 workstations have this issue. Human
Resources, Payroll, and the owner of the company. Now it's become a
question
of "is he trying to hack us?". According to most Microsoft answers,
it's
nothing to be worried about, but now they want a better answer. I do
not
have an answer for this. Can someone help me out?

 

[Steven L Umbach]

Weird. Thanks for reporting back what you found and glad it is not anything
much to worry about. --- Steve

Turns out that it is nothing.
After talking to the user, it seems that everytime he would click on
"network neighborhood" it would send this error to workstations. Must be
a
bug somewhere in Microsoft. I will look for some kind of fix.
Thanks to those who helped.

Thanks Steve,
I will do what I can to take care of this issue.
Thanks again,

Well according to the Event ID someone is trying to access the computer
as
administrator via the network from computer John Doe and failed
probably
because they did not know the correct password. So I don't know how you
think "administrator" is a particular individual. If these failed
logons are
not persistent and numerous I would not worry too much about it
[assuming
you enforce use of strong passwords] and IMHO do not necessarily prove
a
whole lot other than maybe someone was curious about accessing another
computer which should not happen with decent security precautions.
Sometimes
it is just best to question someone as in "do you have any idea why I
am
seeing failed logon attempts to the administrator account on computer x
from
your computer" and then the problem may go away as soon as the person
knows
that you are being vigilant with the security logs. On the other hand
if he
wrongly or incorrectly fires [poor evidence or documentation] someone
he
could have a lawsuit on his hands. If the user in question [or a user
impersonating him] however is truly determined in obtaining
confidential
data you may have a problem on your hands and the user may be more
careful
next time and try other means. So always be vigilant. --- Steve


Type = FailureAud Event ID:529
User: NT AUTHORITY\SYSTEM
Username = Administrator
Computer - XXXX
Reason: Unknown user name or bad password
Domain = XXXXXX
Logon Type = 3
Logon Process = NtLmSsp
Authentication Package: Microsoft_Authentication_package_v1_0
Workstion Name: John Doe

*The CEO is in panic because the person that the event viewer is
showing
is
"untrusted" or in other words, too good at his job to let go. The
person's
name that is showing up is their web developer also, possibly running
IIS
on
his machine.
Thanks for any help. I have to get this guy off of my rear and get
on
with
other things that need done.













:



:

I currently have a domain with 30 clients. Recently one of the
users
somehow
ran across their Administrative tools in the control panel on
their
Windows
XP Professional machines. They happen to look in the event viewer
(not
a
place a user should be in this case). He happen to see a couple
Failure
audits, mainly the same time he goes to lunch. It's event id 529.
He
then
proceeded to tell all the people except for the person's name that
is
in the
event. As it turns out, only 3 workstations have this issue.
Human
Resources, Payroll, and the owner of the company. Now it's become
a
question
of "is he trying to hack us?". According to most Microsoft
answers,
it's
nothing to be worried about, but now they want a better answer. I
do
not
have an answer for this. Can someone help me out?

 

[Guest]

Is the user logging in as Administrator on the system he's using? If so, I
assume that the Administrator account on each system that's recording the
error when he clicks Network Neighborhood has a different Administrator
password. If all of that is the case, then it's no bug, it's standard
behavior for Microsoft Windows products, and also extremely bad practice.

Furthermore, a Windows 529 Error is a bad username or password error, and a
Type 3 indicates an error in network access, i.e. failure to map a drive
share or shared printer. I've also seen these types of errors in copious
amounts when polling is enabled with SQL Enterprise Manager and the SQL
server is setup with SQL only accounts and no AD or local system account that
matches the SQL username and password. Polling will attempt to map a network
resource (I'm assuming it's a drive share) and then generate about 5-15 login
failures every 10 seconds without ever informing the person running SQL
Enterprise Manager.

Joseph

Turns out that it is nothing.
After talking to the user, it seems that everytime he would click on
"network neighborhood" it would send this error to workstations. Must be a
bug somewhere in Microsoft. I will look for some kind of fix.
Thanks to those who helped.

Thanks Steve,
I will do what I can to take care of this issue.
Thanks again,

Well according to the Event ID someone is trying to access the computer as
administrator via the network from computer John Doe and failed probably
because they did not know the correct password. So I don't know how you
think "administrator" is a particular individual. If these failed logons are
not persistent and numerous I would not worry too much about it [assuming
you enforce use of strong passwords] and IMHO do not necessarily prove a
whole lot other than maybe someone was curious about accessing another
computer which should not happen with decent security precautions. Sometimes
it is just best to question someone as in "do you have any idea why I am
seeing failed logon attempts to the administrator account on computer x from
your computer" and then the problem may go away as soon as the person knows
that you are being vigilant with the security logs. On the other hand if he
wrongly or incorrectly fires [poor evidence or documentation] someone he
could have a lawsuit on his hands. If the user in question [or a user
impersonating him] however is truly determined in obtaining confidential
data you may have a problem on your hands and the user may be more careful
next time and try other means. So always be vigilant. --- Steve


Type = FailureAud Event ID:529
User: NT AUTHORITY\SYSTEM
Username = Administrator
Computer - XXXX
Reason: Unknown user name or bad password
Domain = XXXXXX
Logon Type = 3
Logon Process = NtLmSsp
Authentication Package: Microsoft_Authentication_package_v1_0
Workstion Name: John Doe

*The CEO is in panic because the person that the event viewer is showing
is
"untrusted" or in other words, too good at his job to let go. The
person's
name that is showing up is their web developer also, possibly running IIS
on
his machine.
Thanks for any help. I have to get this guy off of my rear and get on
with
other things that need done.













:



:

I currently have a domain with 30 clients. Recently one of the users
somehow
ran across their Administrative tools in the control panel on their
Windows
XP Professional machines. They happen to look in the event viewer (not
a
place a user should be in this case). He happen to see a couple
Failure
audits, mainly the same time he goes to lunch. It's event id 529. He
then
proceeded to tell all the people except for the person's name that is
in the
event. As it turns out, only 3 workstations have this issue. Human
Resources, Payroll, and the owner of the company. Now it's become a
question
of "is he trying to hack us?". According to most Microsoft answers,
it's
nothing to be worried about, but now they want a better answer. I do
not
have an answer for this. Can someone help me out?