Over the past couple of months my Windows event log, security section shows a flood (about 1 every second for an hour) of attempts to log in to my SBS 2003 server as Administrator. The security log indicates the attempts are coming from various public IP addresses and ports, a couple of evenings during the week. I believe I have my SonicWall firewall configured about as tight as I can and still function as we use OWA and RWW. We do not host any web sites at our location. Is there a way to configure a lockout policy to make it more difficult for whoever it is from accomplishing whatever it is? I have read various posts about account lockout policies which sound like the way to go, but have also read that they do not apply to the Administrator.
Event ID = 529
Source = Security
Category = Logon/Logoff
Logon type = 10
Logon process = User32
Authentication package = Negotiate
Domain = OurLocalDomainName
Workstation name = OurServerName
Caller user name = OurServerName$
Caller domain = OurLocalDomainName
Sunday (7/4), there were no attempts that appeared in the log. Monday (7/5), they appeared in the afternoon, every two seconds or so for about an hour.The first batch came from one public IP address with the user name of ASPNET which after a couple of minutes changed to ASP.NET, then to manager, then to station1, station2, station3, sql, systems, pos, manager, adminstrator. Most of these names are not AD users on our network. The Caller Process ID changes as does the Source Port. I have attempted running tracert in the IP addresses and most of them time out after a few hops. Those that don't time out go to various ISPs here in the US and Europe. It's almost like there is DNS problem and they are getting mis-directed to our address or something. I would like it to stop, whether it be malicious or not.