Failure audits in Security Log

[mxxxc3]

Hello-

We have a remote 2003 server that is connected to our windows domain back at HQ. In the security log in event viewer we are getting 100's of failed login attempts per day from users within the company that we KNOW are not trying to contact the server. These users are not apart of this domain but rather a workgroup. I've checked other remote servers that are not geographically near this remote site and noticed that we are getting some failures but not nearly the same amount as the main culprit. I was told that it was just netbios traffic (which I'm sure it is) but not told a reason why? Any ideas?

Thanks

Matt

 

[mxxxc3]

Also, they are 529 and 680 errors.

Example of 680
-----------------

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: SMITHXJA
Source Workstation: A111111
Error Code: 0xC0000064

Example of 529
-----------------

Logon Failure:
Reason: Unknown user name or bad password
User Name: SMITHXJA
Domain: A111111
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: A111111
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.123.45
Source Port: 0

 

[DTracy]

There could be an attempted breakin from outside your lan. Does that source IP match the workstation that smithxja works on?

David.

 

[mxxxc3]

Yes, the IP, Workstation name and user name all match up to the correct persons. The traffic is definitely coming from these areas and I suspect no malicious activity. It's just killing our event log.