Hi,
I have a Windows 2008 server (domain joined). As you can see in the events listed below, unknown user account 'beuser' has successfully logged in to Terminal server from IP address Network Address: 85.31.101.229 using Port# 50227 with Workstation Name "ШУРА-ПК".
Clearly this user name BEUSER does not exist in Active Directory. When I run IP Trace, It says: Continent: Europe (EU) Country: Latvia and we don't have any computer user living outside US.
How is it possible for anyone to log in wit this user account?
Is the port# 50227 is designed to accept BEUSER?
I have Linksys Router that does NAT and port forwarding and I run Backup Exec software on the Domain Controller.
Can you help?
-----------------------------------------------
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: Domain_Name\BEUser
Account Name: BEUser
Account Domain: NHECO
Logon ID: 0x147e7e
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: ШУРА-ПК
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
-----------------------------------------------------------------
Network Information:
Network Address: 85.31.101.229
Port: 50227
-------------------------------------------------------------