I have 200+ failed logon's per day, no source or username documented

SoleCreation
SoleCreation used Ask the Experts™
on
I have numerous (200+) Event Errors

Event ID 4625, my filter shows 1,170
Event ID 4634, my filter shows 254,489

The listed events are steadily growing...

My server info
Windows Server 2011 Essentials
Running in VM, clean install

History
Event's just started about a month ago. other research and troubleshooting is not yielding successful results.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
Is is accessible from the internet?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
In such cases I sometimes go the hard way: Wireshark.

Log the network traffic for some time, and inspect the traffic around the time of the event, maybe for more than one event. If you have detected the offending packets, i.e. by filtering out all known & safe protocol types and peek a bit deeper into the rest, they should reveal at least the IP the came from. And probably more ....
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Software & Systems Engineer
Commented:
I am under the impression that someone is trying to hack you by RDP....he is using the administrator account name which has 'password never expires' and he/she is trying to get access...i would suggest just for start to change the RDP port from outside...right now it should be 3389.....change it to something else and observe...
Distinguished Expert 2017

Commented:
You have to assemble 530/528
Logon type will provide additional information..
Interactive, network, etc...
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Those are the old event IDs. Please find new event IDs in my article in previous post
Distinguished Expert 2017

Commented:
there are others, I am aware of the others, one has to know whether there are older systems that would be reflected under the old ..... request to SBS, SBS generating/reporting....

older account lockout tool from MS technet, includes a tool that can scour the security event log and allow you to view its content.

Clean install means nothing, what application, users are using? mapped drives, mapped other resources, applications that rely on AD security for access/rights assignment......

External access RDP, access to email, active sync, access to VPN, .......
David AtkinTechnical Director
Top Expert 2015
Commented:
I'd agree with John Tsioumpris.  

You can confirm this if in the details the logon type is 10.  

If you are getting this then as John suggested, change the external RDP Port on the Router.

Author

Commented:
Thanks John and David! RDP port change and reboot! All safe now.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial