error 529 Unknown user domain etc HELP

[brandt1971]

ntlmssp sercurity log
I am running a web server on a domain and have all ports
cloesed except remote desktop aand web. I am receiving
event id 529 from unknown user domain and workstatiob. I
have all service packs and security updates installed and
guest account disabled and admin account renamed. Any
suggestions???? Wondering if some has breached my domain
or is on my network. PLease Help

 

[Steven L Umbach]

Make sure that you have file and print sharing disabled on that server, at least on
the external adapter. Another suggestion is to run the IIS Lockdown tool on your
server if you have not done such yet. However make sure that you back up the server
first including the System State and the IIS configuration in the IIS Management
Console. These attempts could be someone trying to logon to you via Terminal
Services/RDP. If possible configure RDP to allow access from only authorized IP
addresses instead of the whole world. You also could put a block rule in the firewall
for the particular computer IP address trying to gain access if they seem to be
persistent.

If possible try to use RDP through a VPN server on your network instead, ideally
using and allowing only l2tp connections as l2tp requires computer authentication via
certificate before user can even attempt to connect. You may not necessarily have
been hacked but keep a close eye on your security log for what looks like
unauthorized access or further attempts and implement an account lockout policy but
do not set the threshold too low. A setting of no less than ten with a reset interval
of ten minutes will still go a long way to protect your network. --- Steve

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp