Every so often one of the SBS Servers we manage reports a series of failure audits (around 10-30 at a time). The usernames which appear are generally not in AD (So makes me think its some sort of dictionary attack?). As shown in the example event below, there is no indication of source IP or Port (Caller Process ID seems to vary).
A bit of background on the server:
It is a SBS 2k3 R2 Server (behind a sonicwall) with the latest Microsoft updates (as of the beginning of April) and has only got RDP, SMTP and SSL being forwarded to it.
Can anyone provide me some advice on how to pin point where this attack is coming from? And what the attacker is trying to exploit?
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: <SBS SERVER NAME>
Reason: Unknown user name or bad password
User Name: <SERIES OF INVALID USER NAMES>
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: <SBS SERVER NAME>
Caller User Name: <SBS SERVER NAME>$
Caller Domain: <DOMAIN NAME>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2868
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Thanking you all in advance for any assistance provided.