I have a small network with a couple of Windows XP machines experiencing random reboots. When the computer restarts, it comes to the login prompt with 'admin' in the username field, even though the user hasn't logged in as admin.
In my security logs on the server (Windows Server 2003) I noticed a lot of failed login attempts as Administrator. This obviously does not look good.
How can I track down and identify these login attempts? One of the machines has an out of date anti-virus (but that is about to change as I type this), but the other one has regularly been using and updating Norton.
Is there some know network attacks that look like this?
Also, how could I identify these login attempts from the workstation? Would there be a particular process running?
Q. 1 - how do I track down failed logon attempts as administrator on my server? A - if the server is exposed to the internet via RDP or SMB or the like you will see these constantly. If at all possible block unnecessary ports to the Internet especially those that allow interactive logon.
Make sure you are logging failed logon attempts via GPO under Computer Config -> Policies -> Windows Settings -> Security Settings -> Local Policies/Audit Policy. You should enable "success and failure" for at least
* Audit Account logon events.
* Audit logon events
*Audit object access
and "failure" for
*Audit privilege use.
Q. 2 - how do I track down who is logging in as admin on the workstations and/or causing crashes/reboots.
A. Once you roll out audit settings you should be able to track down the source IP in the logs.