Ok I'll be the first to admit that I don't know Windows logs all that well nor do I completely understand IIS users. So here is the set up and the strangeness that I am seeing.

I have two RSA ACE servers running on my network, both of them are Windows 2000 and configured in the exact same way. I also have two SNA boxes that are running on my network, both of them are also Windows 2000 and both of them are configured in the same way.

Well lately in my replica ACE box (backup server) I have been seeing the two SNA boxes attempting to connect with a disabled IIS user account. I have /no/ idea why they are doing this and no one else here can figure it out. Here is a sanitized log example of what I'm seeing.

Code:
SEC,6/15/2005,12:32:28,Security,531,Failure,Logon/Logoff ,NT AUTHORITY\SYSTEM,BACKUP-ACE,Logon Failure:^`   Reason:         Acco
unt currently disabled^`        User Name:      IUSR_BACKUPSNA1^`       Domain:         BACKUP-ACE^`        Logon Type:     3^`     Logo
n Process:      IIS     ^`      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^`         Workstation Name:       BACKUP-ACE



SEC,6/15/2005,11:46:18,Security,531,Failure,Logon/Logoff ,NT AUTHORITY\SYSTEM,BACKUP-ACE,Logon Failure:^`   Reason:         Acco
unt currently disabled^`        User Name:      IUSR_PRIMARYSNA1^`       Domain:         BACKUP-ACE^`        Logon Type:     3^`     Logo
n Process:      IIS     ^`      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^`         Workstation Name:       BACKUP-ACE
This type of activity is only seen on my backup ACE server and not the primary. The user accounts that are listed do /not/ exist either in IIS or on the server and it is my understanding that the name that is used "IUSR_PRIMARYSNA1" is created from the netbios name of where the IIS user is attempting to come from... is that correct? Why is Windows reporting this is a disabled user account instead of the standard "bad username/password"? Does anyone have a thought as to why the SNA boxes are trying to log in to this server via IIS?

These SNA servers, and the ACE servers, exist in a private frame network so I'm not too concerned about a compromise on them... besides Snort hasn't seen anything of interest happening on that network in ages