A little bit of 529’s

On November 30, 2007, in Security, by

So let’s say you want to be alerted when someone does a password attempt on your system.  Go into the health monitor, copy the Account Lockout alert service and edit it to look for event 529 in the event logs.  Adjust the Actions to not only log to the system but to email you when someone does a bad password attempt and voila… you now have a early warning system when someone from remote is banging on things. 

I personally limit the access to port 25 to only those ports that need access to the servers at ExchangeDefender.com and don’t get drive bys… but if you are concerned…..


2 Responses to A little bit of 529’s

  1. Boon Tee says:

    I’ve done this for most of my servers, except that I don’t check the success audit box.

    Every so often, more so, in the past few months, I get a batch of 30-50 attempts in the space of a few minutes on a server with various usernames, but no IP address. Often, the Logon Process is Advapi.

    The most common is the off and on single attempt as per above Advapi process, and username Webmaster. I see a few of these every day on various servers.

    It’s hard to look through the lot of emails carefully when there are 190 such emails in your inbox, as there were this morning.

    Conversely, is there a way to check a normal RWW or OWA login attempt (success or not) and gather the IP information. I have been trying to figure out what event ID is logged.

  2. Ryan O'Dwyer says:

    you can turn off authentication on the SMTP Instance, thus disabling the AUTH verbs for any external smtp access(for those not using 3rd party filtering), therefore disabling anyone attempting to send authenticated email. Everyone I know uses OWA/RWW, no need to leave authentication turned on for things that noone uses.

    One of the ways to show IP access is view the WWW(\windows\system32\logs\w3svc) logs, but if you use windows mobile push email, then your www logs get filled with the phone access.