I am trying to track down the source of around 500 login failures everyday I am seeing in our security event log (see 2 event logs below). I am trying to determine if these are originating from inside our network or outside ?. What annoys me is that there is never a source IP address in these events which i can use to trace it. MERCURY is the Server which is being targeted ..its win 2003 R2 SP2 belongs to a WORKGROUP not part of Domain Any advice how to track this down, or an explanation of what I am seeing here would be greatly appreciated. Thanks! Event ID 529 Logon Failure: Reason: Unknown user name or bad password User Name: WCUser Domain: Logon Type: 2 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: MERCURY Caller User Name: NETWORK SERVICE Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E4) Caller Process ID: 3724 Transited Services: - Source Network Address: - Source Port: - Event 680 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: WCUser Source Workstation: MERCURY Error Code: 0xC0000064

This message appeared when someone tried to log on to Mercury as a WCUser interactively (from computer console, not through terminal services, or other remote access services, such RRAS or SMB). Therefore it obviosly don't include Source Network Address, because this computer address should be well-known. here is a little note with useful Logon Type values: 2 – Interactive. The security principal is logging on interactively. 3 – Network (SMB). The security principal is logging using a network. 4 – Batch (scheduled task). The logon is for a batch process. 5 – Service. The logon is for a service account (service starts). 6 - Proxy. Not supported. 7 – Unlock. The logon is an attempt to unlock a workstation. 8 – NetworkCleartext. The logon is a network logon with plaintext credentials (such Basic Authentication in IIS). 9 – NewCredentials. Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity but uses different credentials for other network connections (credential delegation). 10 – RemoteInteractive (Terminal Services). A terminal server session that is both remote and interactive. 11 – CachedInteractive (offline DC). Attempt to use the cached credentials without going out across the network 12 - CachedRemoteInteractive. Same as RemoteInteractive, except used internally for auditing purposes. 13 - CachedUnlock. The logon is an attempt to unlock a workstation. http://en-us.sysadmins.lv

I have really appreciated your time and response it looks really good to me ...but there are still more questions in my mind . one thing which is my bad as I miss-calculated failed attempts ...they are around 1500 every day instead of 500. I don’t know if some one can attempt consistently these many time locally on this server when its located in a secured area and only 2 people have access to server room. Is there any utility or software or sniffer that could list all attempts/task/porcess tie up to this account with more detail than event log...and can be used to narrow it down as its being considered a security threat in my Company and that is the reason I am trying to trace it down so that I could pin point the source and stop it .I could be totally wrong but it could be a program/task/process/service doing it repeatedly . I don’t know if I can trace the source that is triggering it ? Any help will be appreciated..Thanks

probably certain service works under WCUser account, but account password was changed, but service tries to start with expired password. I would like to advice to chack all services to determine which of them works under specified account.http://en-us.sysadmins.lv

I checked all services and none of them is configured to use this account, I have also checked to see if any application or software or task scheduler is using this account to perform any task but this account is not configured anywhere. I am clue less and need some help there must be a way to find this out .This could be some thing coming from out side . Any idea to pin point it please ?

I was having this exact same issue and I just solved it! For me, I was getting four 529 events and four 680 events every 30 seconds...forever. So about 11,500 events per day. The issue was this: A PC had recently changed domains and the Events were being logged on the Domain Controller of the OLD domain. It turns out, the PC still had shared network printers from the OLD domain installed. These printers were offline on the PC and, presumably, were trying to reconnect every 30 seconds. I removed the printers from the PC and the Events stopped immediately. Cause: The PC was using its NEW domain/credentials to try to connect to the OLD domain's print server, which it no longer had access to. This generated the 529 and 680 Events on the Domain Controller. I presume other network shares could cause the same issue as well. Anything that was once shared and access under a specific account over the network, but now is trying to use a different account, could be a potential culprit. Hope this helps someone!