Account Lockout (Event ID: 539) Alert message

Hello,

All of a sudden I've been getting a bunch of messages emailed to me from my
SBS box with a subject just like the subject of this post.

My problem is, I can't determine the source of the attempted logons to my
user account!

I review the SBS event security log and I see the failed logs but they do
not contain any info as to the source.

It seems as though this event is triggered and logged roughly every two
hours. It looks like the event is logged 5 or 6 times when the illegal
login takes place which cause the account lockout event.

I'll post the SBS generated email below as well as a copy from one of the
actual event logs.
My question is, is there anyway possible to figure out the source that is
causing these errors?
Some type of logging I can turn on?

I have blocked ALL public access to the SBS box from the public internet but
the errors continue.
This tells me that it is from the LAN side of my firewall.

Here are the error message email as well as a copy of the event log.
Thanks for any suggestions!
Adam

SBS generated email:

thread-index: AcYg2wA4f5D2HtXlTmSLUsfrAOWkYg==
Thread-Topic: Account Lockout (Event ID: 539) Alert on WX98
From: "WX98" <macoone@xxxxxxxxxxxxxxxx>
To: <adam@xxxxxxxxxxxxxxxx>
Cc:
Bcc:
Subject: Account Lockout (Event ID: 539) Alert on WX98
Date: Tue, 24 Jan 2006 05:40:40 -0600
X-Mailer: Microsoft CDO for Exchange 2000
Priority: normal
X-OriginalArrivalTime: 24 Jan 2006 11:40:40.0039 (UTC)
FILETIME=[003A5F70:01C620DB]


Alert on WX98 at 1/24/2006 5:40:39 AM


An account was locked out due to multiple failed logon attempts that
occurred in a short period of time. This may occur if an unauthorized user
attempts to gain access to the network.


For more information about this event, see the event logs on the server
computer.


You can disable this alert by using the Change Alert Notifications task in
the Server Management Monitoring and Reporting taskpad.

And the Security Event Log for this event:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 1/24/2006
Time: 05:45:35
User: NT AUTHORITY\SYSTEM
Computer: WX98
Description:
Logon Failure:
Reason: Account locked out
User Name: steve
Domain: MISSILEKRUSE
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WX98
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -



.

Relevant Pages

  • RE: Account Lockout (Event ID: 539) Alert message
    ... >Subject: Account Lockout Alert message ... >SBS box with a subject just like the subject of this post. ... > For more information about this event, see the event logs on the server ... >Logon Failure: ...
    (microsoft.public.windows.server.sbs)
  • Re: Wrong domain in event log?
    ... The failed login was from the workstation called BCCIJHINSLEY at IP address ... Les Connor [SBS Community Member - SBS MVP] ... Logon Failure: ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Stop illegal login attempts?
    ... How can I stop illegal login attempts to my SBS box Exchange server? ... I had a guy last night try for over 3 hours to guess my username/password which generated over 610 security errors in the security event log. ... Logon Failure: ... Caller User Name: WX98$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Error Code 537
    ... Kerberos authentication issues are most often as a result of a time ... Les Connor [SBS Community Member - SBS MVP] ... > Logon Failure: ... > Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Account Lockout (Event ID: 539) Alert message
    ... SBS box with a subject just like the subject of this post. ... For more information about this event, see the event logs on the server ... Logon Failure: ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
Loading