Hi there
I seem to be having a security issue with my server. I am running SBS 2003.
The issue is that when I check my event logs the security section is reporting a Failure Audit almost ever 90 seconds.
The Failure Audits report the username used, the type of login used and the network source IP among other thing.
The network source IP is always the same. The source is a local machine on my network. If I go through the 529 errors, the username is the same around 20 times, then the username changes, 20 times, changes etc.
I am yet to get into work to run some thorough tests on the offending machine.
The offending machine is a diagnostic laptop used for repair at our business. We have 2 of these machines.
The strange part is, the 529 errors were being reported from laptop X until I shut it down remotely. Shortly after this, laptop Y became the offender of the 529 errors.
It is effecting some of our users as we have a password lockout policy in place. So the offending machine unsuccessfully logs in to a user account until it is locked out, which in turn creates issues for the user.
I am thinking is it possible that this activity is somehow normal, or there is some known process on the windows machine that could be triggering this.