Deciphering Event Log ID 529 Audit Failure

5 pts.
Tags:
Event ID 529
Event logs
Network security
Security
Security audits
We have a small network (less than 50 workstations), and I notice in the Security Event Logs of each workstation there will usually be several audit failures. For example:

Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 3/30/2009 Time: 8:19:25 AM User: NT AUTHORITYSYSTEM Computer: [ComputerName] Description: Logon Failure: Reason: Unknown user name or bad password User Name: [UserName] Domain: [ComputerName] Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: [ComputerName] 


Seeing several of these events normally would make me think that this was an intrusion attempt, but I am dubious because some of the login failures appear to originate from my own machine at a time when I am using it. I have certainly never tried to break into another computer on the network (especially since I have my own admin account on all of them). It also seems to be random as to which computer the failure originates from. I wonder whether it is possible that some software installed on the machines is scanning the network. Maybe Windows is sending out requests that are denied access by other machines. I have even thought that maybe incorrectly entered user names and passwords from legitimate login attempts are somehow propagating throughout the network. Is this something common among Windows networks? If so, how do you tell the difference in regular network noise and intrusion attempts? My network specs: Peer-to-peer network (no domain or Active Directory) DNS server uses Windows 2003 R2 Workstations all use Windows XP

Answer Wiki

Thanks. We'll let you know when a new response is added.

There is likely some “shared” resource – printer, folder, etc. – in the background that the machine is trying to keep a persistent connection open. This can cause account lockouts too if there is a matching username in the domain as is present on the local computer.

See the following articles for more information on tracking down these login attempts:

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following