Hello, We have a client who has a 2008 R2 server that is getting a lot of security audit logs (event id 4625). What's ominous is that the userid listed is "user32." Not sure if this is a potential security attack or not. Some people access this server because it's a Microsoft Dynamics SL server and they would access it using RDP. See the error log below. Thanks! Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/5/2011 8:25:52 PM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: SERVERNAME.DOMAIN.com Description: An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVERNAME$ Account Domain: DOMAIN Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: a Account Domain: SERVERNAME Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x110c Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: SERVERNAME Source Network Address: 168.93.99.245 Source Port: 2034 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0

Somebody tries to log in as user "a". If the IP subnet 168.93.99.xx is not within your trusted network, you might be under attack. To prevent attacks like this, you can simply install an intelligen intrusion detection and defense software like Cyberarms Intrusion Detection. You can download a free edition here: https://cyberarms.net/intrusion-detection/free-download.aspx This should help you blocking attackers after some tries. Max