Event log fills up - Event ID 100

This message appears numerous times from 2:03 pm until 2:08 PM.

The server was unable to logon the Windows NT account 'Administrator' due to
the following error: Logon failure: unknown user name or bad password. The
data is the error code.

Does this mean that someone is trying to break into my domain?

This is a multihomed computer with WAN and LAN addresses.

What should I do about this?

"bestbapu" <(E-Mail Removed)> wrote in message
news:EC51C71C-7ADB-4420-9D87-(E-Mail Removed)...
> This message appears numerous times from 2:03 pm until 2:08 PM.
>
> The server was unable to logon the Windows NT account 'Administrator' due
> to
> the following error: Logon failure: unknown user name or bad password.
> The
> data is the error code.
>
> Does this mean that someone is trying to break into my domain?

There are three possibilities:
1. Someone is trying to brute-force guess the administrator password.
2. Someone thinks that they already know the administrator password and is
trying it frequently.
3. Both 1 and 2 apply.

Now, possibility 2 may not be a big problem - perhaps there's an automated
(scheduled?) process, or a service, that is configured to logon to the
administrator account using a password that has since been changed.

Possibility 1 is only a big problem if you think that your administrator
password can be guessed. If you have created a strong password / passphrase,
then it really doesn't matter much how often they brute-force guess, they're
only taking up a small amount of processing.

Check the event logs to see where the connection attempts are coming from,
to deduce whether this is internal problems with an expired password being
used or an external attack. If it's external, it's up to you whether to try
and take action against the attacker, presumably by blocking access, and
perhaps by contacting their administrator to have them disconnected.

> This is a multihomed computer with WAN and LAN addresses.
>
> What should I do about this?

My advice would be to keep your administrator account set with a strong /
long password, to block the IP address this is coming from if it's a single
source, to trace it to make sure that it's not internal malarkey or a
service / scheduled job that needs updating. Monitor for other unexpected
accesses if this is part of a pattern, but if this is the extent of the
attack, don't worry. They'll knock on someone else's door when yours fails
to open.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.