Audit Failure and Account Lockouts - Active Directory

I have a SBS 2011 Server and currently issues with account lockouts and Audit failures. All users use Exchange Active Synch, RWW and OWA. The login attempt originating externally and I have trouble resolving the issue. I have attempted to block the external IP address in the firewall but does not seem to make a difference. Any help is very much appreciated. Below the audit failure details.
Security ID:            SYSTEM
      Account Name:            TLWSVR$
      Account Domain:            TLW
      Logon ID:            0x3e7

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            sue
      Account Domain:            tlw

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x23c8
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      TLWSVR
      Source Network Address:      101.168.213.75
      Source Port:            15060

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
co_olAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
My instinct would be that the user has entered their password somewhere - mobile device most likely. The password has then been changed on the account but the device hasn't been updated.

If it happening to multiple users, then someone is doing an authentication attack. The address belongs to the Australian ISP Telstra. I presume it isn't your address?

You could use IP address restrictions on IIS to block that address if it is constantly the same address.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
co_olAuthor Commented:
I was unable to determine who that ip address belongs to but was able to block that ip address. Unless someone complains about unable to access the server i assume it is an unauthorized access. Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.