Event 529s I’m ready for Ya

On January 31, 2005, in Security, by

I’m stealing an idea from Jeff Meager in the newsgroup…. he said….

I decided to make an alert that informed you when too many bad username and password attempts had been made. You will need to customise it to the size of your company, but it’s too easy.

Copy and Paste the account lockout health monitor item. Cange and rename it. change the event id to 529 which is the incorrect username and password one. Set the number of incidences before alerting to something that would signify an attack, rather than legitimate bad typing by a user. The default is to email you about it and flag it as critical.

If you have the facility to do email > sms you could have it SMS you!

Hey, that sounds pretty cool.  Knowing that I looked over my own even logs and didn’t see too many 529s except when I fat-fingered my own passwords I thought I’d set this up.  You can either do what Jeff says or set up your own monitor.

Remote into the server, start, all programs, Administrative tools, Health monitor.

Wow, look at all those things being tracked.  Remember SeanDaniel.com’s blog post about how SBS got monitoring in the first place?

So under Core Server alerts I set up a new Event ID 529, right mouse clicked on the new event and made sure that it’s set to event 529 to “freak” out on.  I’ll have to log in from home and see if it does  🙂

and then don’t forget to change the message on the tab:

Okay time to go “fat finger the login” and see if it works!


4 Responses to Event 529s I’m ready for Ya

  1. Dan Z says:

    I just installed SBS 2003, it came setup with monitoring in place.

    I’m seeing a large number of login attempts and subsequent account lockouts.

    All are vaild account names. I assume there’s some way hackers are seeing the vaild names?

    How does one prevent account names from being brodcasted?

  2. Tony Su says:

    Hello Dan,

    Account names are harvested a number of different ways.

    Possibly the most common is because Windows by default "suggests" that Usernames be derived from the person’s real first name/last name and because in 99% of all MS networks the email account is the Windows Account name, too.

    You can change these things, of course… but you’d have to know how to do these things and most general purpose SysAdmins (particularly SBS) won’t know how to do that.

    A practical way to approach the issue of easily harvested Usernames is to just assume the Hacker will know it so you will want to configure a very difficult password (always! – Because you will rotate it, too!) and monitor failed logons. Configuring an alert is a great thing to do if but you may want to configure so it won’t drive you batty with too many alerts (That’s bad too if you start to ignore the alerts).



  3. very useul, thanks