We have a small network (less than 50 workstations), and I notice in the Security Event Logs of each workstation there will usually be several audit failures. For example:
Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 3/30/2009 Time: 8:19:25 AM User: NT AUTHORITYSYSTEM Computer: [ComputerName] Description: Logon Failure: Reason: Unknown user name or bad password User Name: [UserName] Domain: [ComputerName] Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: [ComputerName]
Seeing several of these events normally would make me think that this was an intrusion attempt, but I am dubious because some of the login failures appear to originate from my own machine at a time when I am using it. I have certainly never tried to break into another computer on the network (especially since I have my own admin account on all of them). It also seems to be random as to which computer the failure originates from. I wonder whether it is possible that some software installed on the machines is scanning the network. Maybe Windows is sending out requests that are denied access by other machines. I have even thought that maybe incorrectly entered user names and passwords from legitimate login attempts are somehow propagating throughout the network.
Is this something common among Windows networks? If so, how do you tell the difference in regular network noise and intrusion attempts?
My network specs:
Peer-to-peer network (no domain or Active Directory)
DNS server uses Windows 2003 R2
Workstations all use Windows XP