Server Report Event listed

[Guest Catherine]

Hi

 

We have an SBS 2003 R2 server, and the server performance report has listed

the following critical error in the security log:

 

Event ID 529 Total Occurences: 38,514

 

Logon Failure:

Reason: unknown user name or bad password

User name: (one of our staffers)

Logon Type: 3

Logon Process: NtLmSsp

Authentication package: NTLM

Workstation Name: (staffers PC)

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address (staffers IP address)

Source Port: 1460

 

I am not responsible for this server yet, but it will be handed over to me

in a few weeks. We have several users who use RWW, but this staffer is not

one of them. We also have a Sonic firewall, which has not shown any

intrusion alerts. I am wondering if this is a hack attempt, as this account

has been showing similar activity the last few weeks, but nothing of this

scale, or would it be a programme on the PC trying to contact the server for

updates (just guessing)? Any suggestions or pointers will be gratefully

received! BTW, I have only discovered this person NEVER powers down their PC

and sometimes has problems with their password being accepted, esp. when the

password policy cycles down to a new password changeover.

 

Thanks

 

Catherine