Event 4625, many 1,000's failed login attempts each night, can I autoblock how do I protect my machine?

hi, 

i'm using server 2008 r2 web edition.  every day when @ event viewer security logs see 30-40k of event 4625 failed login attempts. seem coming several different ips,  manually block ip via windows firewall , advanced security within 10-20mins same attempts start different ip.  below sample of 1 of event viewer entries.  use rdc access server remotely, dynamic ip,  i'm running rdc, sql server, imail ( pop3/smtp), ftp on server.  apprecited,  thinking of auto locking out usr accounts using account lockout policy feared if lock out administrator account , if keep trying prevent me accessing server remotely via rdc..

here log:

- <event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <system>

<provider name="microsoft-windows-security-auditing" guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

<eventid>4625</eventid>

<version>0</version>

<level>0</level>

<task>12544</task>

<opcode>0</opcode>

<keywords>0x8010000000000000</keywords>

<timecreated systemtime="2010-11-16t14:45:53.956434600z" />

<eventrecordid>5822261</eventrecordid>

<correlation />

<execution processid="556" threadid="3472" />

<channel>security</channel>

<computer>myservername</computer>

<security />

</system>

- <eventdata>

<data name="subjectusersid">s-1-0-0</data>

<data name="subjectusername">-</data>

<data name="subjectdomainname">-</data>

<data name="subjectlogonid">0x0</data>

<data name="targetusersid">s-1-0-0</data>

<data name="targetusername">administrator</data>

<data name="targetdomainname">cl-t213-240cn</data>

<data name="status">0xc000006d</data>

<data name="failurereason">%%2313</data>

<data name="substatus">0xc000006a</data>

<data name="logontype">3</data>

<data name="logonprocessname">ntlmssp</data>

<data name="authenticationpackagename">ntlm</data>

<data name="workstationname">cl-t213-240cn</data>

<data name="transmittedservices">-</data>

<data name="lmpackagename">-</data>

<data name="keylength">0</data>

<data name="processid">0x0</data>

<data name="processname">-</data>

<data name="ipaddress">174.142.192.251</data>

<data name="ipport">53399</data>

</eventdata>

</event>

hi,

 

to block authentication access unknown ip network segment, best solution allow special ip network segment communication though firewall or block unknown ip network segment again , again checking event log.

 

other 2 ways may use secure domain below:

 

1.    disable built-in administrator , create new domain administrator account different user name.

2.    replace , block port 389.

 

regards,

---

please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread.

Windows Server  >  Security