Running Windows SBS 2003 R2 with RWW and OWA enabled through relevant Port Forwards on our external Hardware Firewall.
Last night came across the following Event ID entries, with 35 entries logged under Event ID 529:-
Reason: Unknown user name or bad password
User Name: administrator
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: OURSERVER
Caller User Name: OURSERVER$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7172
Transited Services: -
Source Network Address: 126.96.36.199
Source Port: 11791"
Whilst I'm familiar with Event 529 errors, this is the first I've come across from an external IP address.
The address seems to nslookup to a host in Germany, definitely not one of our workers then!
I'm unfamiliar with Source Port 11791 though.
1. Is this an unauthorised user trying to login via Remote Web Workplace?
2. If so - is there anything I can do to harden up the security to prevent hack attempts like this in future?
Any suggestions appreciated.