I am getting repeated Event ID 4625 - Audit Failures on my Exchange server:
An account failed to log on.
Subject:
Security ID: NETWORK SERVICE
Account Name: EXCHANGE2$
Account Domain: xxxx
Logon ID: 0x3e4
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: backupexec
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0xdb8
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe
Network Information:
Workstation Name: EXCHANGE2
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
They'll cycle through with names like Admin, Administrator, BackupExec, etc. I have thousands of them.
While they don't appear to be even close to gaining access, they're wasting bandwidth and cpu cycles. I don't see anywhere to get the IP they're coming from to block it. Any quick way to shut this down?
Thanks for any advice.