[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Event 529s I'm ready for Ya - THE OFFICIAL BLOG OF THE SBS DIVA
Mon, Jan 31 2005 21:09 bradley

Event 529s I'm ready for Ya

I'm stealing an idea from Jeff Meager in the newsgroup.... he said....

I decided to make an alert that informed you when too many bad username and password attempts had been made. You will need to customise it to the size of your company, but it's too easy.

Copy and Paste the account lockout health monitor item. Cange and rename it. change the event id to 529 which is the incorrect username and password one. Set the number of incidences before alerting to something that would signify an attack, rather than legitimate bad typing by a user. The default is to email you about it and flag it as critical.

If you have the facility to do email > sms you could have it SMS you!

Hey, that sounds pretty cool.  Knowing that I looked over my own even logs and didn't see too many 529s except when I fat-fingered my own passwords I thought I'd set this up.  You can either do what Jeff says or set up your own monitor.

Remote into the server, start, all programs, Administrative tools, Health monitor.

Wow, look at all those things being tracked.  Remember SeanDaniel.com's blog post about how SBS got monitoring in the first place?

So under Core Server alerts I set up a new Event ID 529, right mouse clicked on the new event and made sure that it's set to event 529 to “freak” out on.  I'll have to log in from home and see if it does  :-)

and then don't forget to change the message on the tab:

Okay time to go “fat finger the login” and see if it works!

Filed under:

# re: Event 529s I'm ready for Ya

Tuesday, February 01, 2005 10:55 AM by bradley

I just installed SBS 2003, it came setup with monitoring in place.

I'm seeing a large number of login attempts and subsequent account lockouts.

All are vaild account names. I assume there's some way hackers are seeing the vaild names?

How does one prevent account names from being brodcasted?

# re: Event 529s I'm ready for Ya

Tuesday, February 01, 2005 4:23 PM by bradley

Hello Dan,
Account names are harvested a number of different ways.

Possibly the most common is because Windows by default "suggests" that Usernames be derived from the person's real first name/last name and because in 99% of all MS networks the email account is the Windows Account name, too.

You can change these things, of course... but you'd have to know how to do these things and most general purpose SysAdmins (particularly SBS) won't know how to do that.

A practical way to approach the issue of easily harvested Usernames is to just assume the Hacker will know it so you will want to configure a very difficult password (always! - Because you will rotate it, too!) and monitor failed logons. Configuring an alert is a great thing to do if but you may want to configure so it won't drive you batty with too many alerts (That's bad too if you start to ignore the alerts).

HTH,
Tony

# Hey it worked!

Tuesday, February 01, 2005 7:34 PM by TrackBack

# A Security event -Nancy Drew Security event log detective?

Wednesday, February 02, 2005 8:04 PM by TrackBack

# An open port is a hole is a weakness is a entry is a ....got it?

Friday, February 04, 2005 6:12 PM by TrackBack

# An open port is a hole is a weakness is a entry is a ....got it?

Friday, February 04, 2005 6:15 PM by TrackBack

# re: Event 529s I'm ready for Ya

Tuesday, May 03, 2005 2:45 PM by bradley

very useul, thanks

# re: Event 529s I'm ready for Ya

Saturday, May 21, 2005 8:54 AM by bradley

thanks

# So what's the security of RDP?

Friday, August 12, 2005 7:02 PM by TrackBack