RE: security logon failures

HI Jacky ,
Thanks again for your info. I look at the network source address and it did
not show anything, on other security logon failure there is a netowrk source
address which I can follow. Yes the server is sbsntsrv2 and i am the only one
who can access it and remote desktop is disabled. Do you anything about the
logon advapi which is showing up under failure, somebody said that this coudl
signify a virus? What do you think?
--
Paploo77


""Jacky Luo [MSFT]"" wrote:

Hi Paploo77,

Thank you for your reply. Sorry for the delay in getting back due to the
weekend.

I have checked your file you sent to me, I must confirm with you whether
SBSNTSRV2 is your only server, If so, As you said, the only one who can
access the server is yourself, there is another possibility that your
server have remote desktop enabled and one or multiple client computer are
attempting to logon your server by remote desktop, please check if your
server have remote desktop enabled, to do so:

1.right-click my computer on desktop
2.click properties
3.check if "enable remote desktop on this computer" get ticked

You can uncheck it according to your own requirement. And if the current
case is that remote desktop have been enabled, you can go to the security
log to check the failure audit event, although workstation name are all
SBSNTSRV2, but you must find out another field named "network source
address", It recorded the IP address of the client computer which are
attempting to logon your server, so as long as you find out the IP address
of the client computer, then you can find the suspicious culprit.

Hope this helps.

If there is anything unclear, please feel free to let me know. I am pleased
to be of assistance and look forward to your reply.


Best regards,

Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.

Loading