Thanks for posting in our newsgroup.
Please let me know the following to make the situation more clearly:
You said "I have noticed that the user can also be root, administrator as
well." Do you mean that the user names in the events are root or
Based on my research, this event can be caused by hacker, virus or services
on the SBS server. please take the following steps to see if the problem
can be resolved.
Step 1: Please make a clean boot to make sure the problem is not caused
third party software:
1. Click Start->Run...->type msconfig and press Enter.
2. Click Services tab and select Hide All Microsoft Services and Disable
All third party Services.
3. Click Startup tab and Disable All startup items.
4. Click OK and choose Restart.
5. After reboot, check whether the problem still occurs.
6. If there are no more problems, please use the above steps to enable
services and startup items one by one in order to figure out the root cause
of this issue.
Step 2: The issue may be caused by virus, please scan the system by Anti
Virus software with latest signature and test again.
Step 3: The issue occurs on the domain controller when the audit policy is
turned on for logon failures. To fix this, please install the following
Security Event 529 is logged for local user accounts
You can submit a request to Microsoft Online Customer Services to obtain
the hotfix. To submit an online request to obtain the hotfix, visit the
following Microsoft Web site:
In addition, please implement Strong password policies in your network. To
Open ''Server Management console'', navigate to Users snap-in. In the right
panel, click ''Configure Password Policies''. Enable the password policies.
1. Password must meet minimum length requirements.
2. Password must meet complexity requirements.
3. Password must be changed regularly.
4. Configure password policies: Immediately.
If you enable Strong Password Policy, you will still see the security
events, but it's difficult for hacks to access the network.
Securing Your Windows Small Business Server 2003 Network
During the user authentication process, the system sends user credential in
a package, but this package contains only user credential, no source IP
included. So when the authentication fails, event is created but there is
not source IP. This is expected behavior. So first we need to find out
which causes such event.
If the problem persists, please help me collect the following information
for deep research:
1. What important change did you make before the issue first occurred?
2. MPS Report
1) Download MPS report tool from:
2) Run the MPSRPT_SETUPPerf.exe on the server box.
3) Wait for 10~15 minutes.
4) Open Windows explorer, navigate to
5) Send the .cab file to firstname.lastname@example.org with subject:
41016572-Hack Attempt - Remote Web Workplace.
I am looking forward to hear from you.
If you need further assistance, please don't hesitate to let me know.
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
When opening a new thread via the web interface, we recommend you check the
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
This posting is provided "AS IS" with no warranties, and confers no rights.