I am getting constant event 4625 messages saying that accounts are failing to log in with non-existent usernames. Names such as: SALES, USER, TEST, HELPDESK, SUPPORT, PROGRAMMER are not users of ours, but we are getting 20 or so messages every minute saying accounts such as these are trying to log in. I can only conclude that this must be a brute force attack. I have already made sure that RDP is NOT publicly accessible. I can tell that these are coming from outside of the domain because NTLM is stopping it, however I cannot blacklist IPs because Network information is blank in the event messages. What should I do in this situation?
An account failed to log on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed: Security ID: NULL SID Account Name: POSTERMINAL1 Account Domain:
Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064
Process Information: Caller Process ID: 0x0 Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -