Event ID 680 - Getting invalid logon attempts from my server

I noticed these in my event logs.  Sometimes its a user id of "academia" and sometimes its "inna".  How is this happening?  What is happening?  Why is the "Source Workstation" my server?  Scary stuff
PS I am current on all patches and on anti-virus (Trend Micro).

Source Event ID Last Occurrence Total Occurrences
  Security 680 10/16/2008 12:48 PM 5 *
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: inna
Source Workstation: CompSvr
Error Code: 0xC0000064

Source Event ID Last Occurrence Total Occurrences
  Security 529 10/16/2008 12:48 PM 5 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: inna
  Domain:  
  Logon Type: 3
  Logon Process: Advapi
  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Workstation Name: CompSvr
  Caller User Name: CompSvr$
  Caller Domain: MyDomain
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 1556
  Transited Services: -
  Source Network Address: -
  Source Port: -
 
rowekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pistolslapperCommented:
Are you using any remote control software like vnc on your server?
0
rowekAuthor Commented:
No sir.  We do open up the Remote Desktop Port sometimes to get to client PCs.  Small Business Server also puts out a Welcome screen that looks like this:
(I am most concerned about Remote Web Workplace which allows somebody to sign on to my server remotely.  I do not know how to disable it)

Welcome to Windows Small Business Server 2003
 To get started, click a link.


  My Company's Internal Web Site
 Collaborate and share documents on your company's internal Web site.
   
  Network Configuration Wizard
 Join a client computer to the Windows Small Business Server network.
   
  Remote Web Workplace
 Connect to the Windows Small Business Server network over the Internet.
 
0
pistolslapperCommented:
How frequently are you getting these events. If it is quite frequent it may be worth running a piece of software like wireshark to see where the logon attempts are coming from.

0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

harrytwotoesCommented:
If your server is securely placed and no one can walk up to it and type on the keyboard, the issue is likely the RWW.  You can specify who is allow to log into this service by the following
1) Open Server Management

2) On the left hand side navigation click on "Security Groups"

3) Now on the right hand side you will see all of the Security Groups that SBS builds by default, and any of the ones that you put in there.

4) Double click on Remote Web Workplace Users.

5) Click on the Members tab.

6) And whoever you would like.  Make sure that the mass groups like "everyone, and domain users" are not in the list.

7.) Apply your changes.

0
rowekAuthor Commented:
Okay, harrytwotoes, I went out and did what you said.  There were no "everyone, and domain users" in that group, only a few that need it.  Is there anyway to tell my server not to even display the Welcome Screen "Welcome to Windows Small Business Server 2003 " see detail above?  Everyone who needs access to our server goes directly to a specific page.

pistolslapper - I get these messages frequently, ten a day.  They indicate the workstation being used is my server.  Will something like wireshark actually help?
0
harrytwotoesCommented:
Ah.

To enable or disable Remote Web Workplace
Open the Windows SBS Console.

On the navigation bar, click Shared Folders and Web Sites.

Click the Web Sites tab.

Right-click Remote Web Workplace, and then do one of the following:

To enable Remote Web Workplace so that users can remotely access network features, click Enable this site.

To prevent users from accessing Remote Web Workplace, click Disable this site.

--site referenced--
http://technet.microsoft.com/en-us/library/cc527621.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rowekAuthor Commented:
harrytwotoes: where is this Windows SBS Console. you are talking about?  I am running 2003 and cannot find it.  I normally use "SBS Server Mgt", but never the console.
0
harrytwotoesCommented:
Start > Programs > Windows Small Business Server > Windows SBS Console
0
rowekAuthor Commented:
Let me tell you how I brute force took it down.  I opened up IIS Mgr and clicked on "REMOVE".  It is no longer an application, just a folder.  If somebody tries to access it now they get the WSOD (.NET White Screen of Death).  I will see if this stops the sign on attempts.  If you can tell me a more elegant way to turn this down on SBS 2003 I would appreciate it, but the intent of your solution works fine: turn down RWW.
Thanks to both of you guys.
Keith
0
rowekAuthor Commented:
I looked and looked for that program group and app on my Start Menu...does not exist.  Do you have the name of the EXE?  I will create the group from scratch.  Point awarded.
0
rowekAuthor Commented:
http://www.eggheadcafe.com/software/aspnet/33255125/keep-getting-login-failur.aspx
Above is a good explanation of what is happening.  They are trying to relay off of my Exchange server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.