Mon, Jan 31 2005 21:09
Event 529s I'm ready for Ya
I'm stealing an idea from Jeff Meager in the newsgroup.... he said....
I decided to make an alert that informed you when too many bad username and password attempts had been made. You will need to customise it to the size of your company, but it's too easy.
Copy and Paste the account lockout health monitor item. Cange and rename it. change the event id to 529 which is the incorrect username and password one. Set the number of incidences before alerting to something that would signify an attack, rather than legitimate bad typing by a user. The default is to email you about it and flag it as critical.
If you have the facility to do email > sms you could have it SMS you!
Hey, that sounds pretty cool. Knowing that I looked over my own even logs and didn't see too many 529s except when I fat-fingered my own passwords I thought I'd set this up. You can either do what Jeff says or set up your own monitor.
Remote into the server, start, all programs, Administrative tools, Health monitor.
Wow, look at all those things being tracked. Remember SeanDaniel.com's blog post about how SBS got monitoring in the first place?
So under Core Server alerts I set up a new Event ID 529, right mouse clicked on the new event and made sure that it's set to event 529 to “freak” out on. I'll have to log in from home and see if it does :-)
and then don't forget to change the message on the tab:
Okay time to go “fat finger the login” and see if it works!
Filed under: Security