In our SBS event viewer I noticed a large number of security failures for the above logon process and authentication package:
Reason: Unknown user name or bad password
User Name: 666
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 12592
Transited Services: -
Source Network Address: -
Source Port: -
The Username changes each attempt.
I initially thought that this was spawning from my SERVER, but after diagnosing the event log, I am thinking that it is a workstation on the domain that is attempting to connect.
Can anyone confirm this for me and suggest a strategy on how to find the workstation in question?
We currently only have AV installed on all using CA eTrust, but could look at Pest Patrol which is a part of the suite.