Event Log (Security) Shows Login Failures of Wrong Domain

[esmithbda]

I am a new network admin at our company. I come from a limited network admin background and a much more extensive programming background.
I am trying to get our network back up to speed, I have many tasks at hand.

As I have been going through the Event Logs trying to track down another issue, I noticed that in the Security Log, there are relatively many login failures (5 a day or so) - which would be fine if they were on our domain.
But they are for outside domains and users not on this domain.
Say our domain is ABC, I am seeing relatively many login attempts for domains XYZ, EFG, LMNOP, etc. They are just NTLM attempts, so it means that it isn't someone trying to login to our specific machines on our domain, but instead it looks like it is someone that has a computer setup for a different domain turning their machine on and trying to login to our network, but it isn't setup for it.

If someone else told me this, I would suspect people coming in with laptops that were setup for another company and then plugging in and not knowing what they were doing, trying to login.
But we are only 16 people in this office, and I can keep track of whatever every user is doing... nobody is brining in outside laptops.

The failure doesn't look very bad to me because it isn't changing much, it looks like the same sort of attempts pretty regularly - like the same person turning on their machine and getting the failures. Were it changing users and/or domains very rapidly, I would suspect an automated or more concerted effort to break in.

That said, the only other thing I could think of is that we do have a wireless access point, so I thought perhaps that was wide open and someone was accidentally getting onto our network that way. But I looked into it and it isn't wide open, although it doesn't have that high an encryption level on it.
But even with the low level encryption, that would still mean that someone is actively "breaking in" to the wireless connection, and then showing ineptitude at logging in... which doesn't seem right to me.

So I'm just curious if anyone can tell me where/what these logins are. The domains don't obviously point to any companies near us - and one - "TELECOM" is generic enough that it could be a number of things.

Any ideas?

 

[esmithbda]

a quick bump up to see if anyone has any ideas, or can point me where to look to learn more?

thanks

 

[esmithbda]

Still trying to figure out why we are getting the failures.

Anyone know how/why this is happening?

In the Event Log, it will show a login failure for an account and domain that isn't ours.

ie if we are DOMAIN1 and we have a fixed set of users, we are seeing failures for a user that isn't on our list, and shows up for DOMAIN2.

we currently have about 5 different domains and their users showing up in our event log.

Any ideas?

 

[farmerami1]

We have a similar issue. It happens because of our laptop users who take their pc home and hook it up to their home network. Then, they bring it back to the office and forget to change the settings back. All of a sudden a weird username and domain name shows up in the log trying to gain entry. Anyone doing that at your office? This might be one reason. Do you have a terminal server in place that is exposed to the outside world? I connect to multiple domains for administration. If I forget to change the domain name and username to the appropriate domain, then this will also happen. Hope this helps some.

 

[esmithbda]

I thought that was the case at first - people that were coming in and trying to connect. But we are a very small office, both in terms of physical size and number of users. We have 16 people in the office and are on 1 floor (well, one and a half - we have one room downstairs that 4 of us are in).

So it is very easy to monitor who is doing what and/or who has done what just by asking and observing.

The only people brining in laptops are one of the owners, and his shows up properly (he barely knows how to use the thing, but he is doing it correctly and doesn't have any other domains to log into).
The other person with the laptop is me, but I don't even log in to our domain (or any domain), I'm just connecting to get the IP address, not to share out network folders.

I do have terminal services up on the two main servers (primary and backup domain controllers) so that I don't have to go up and down the stairs just to work on a server.
But those aren't open to the outside world.

We have the wireless connection, and I haven't disconnected that yet to see if that is the culprit, but it does have encryption on it, and the login attempts I have seen seem more to be of the accidental type - which would mean they are then accidentally breaking our encryption and then not logging in properly to our domain.

It is strange to me.