Logging Failed Log-in Attempts
This will show you how to set up Windows Server 2003 to log failed attempts at logging into the system, along with the failed passwords, etc.
Click Start then Run..
In the Run box type "gpedit.msc"
Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies, and click Audit Policy
Double click Audit account logon events, make sure success is checked, then check failure also
Do the same for Audit logon events
Now, any unsuccessful log-ins will be shown in the Security section of the Event Viewer. The following information about the log-in failure will be displayed:
Domain (or computer name if no domain is present)
Caller User Name
Caller Domain (or workgroup)
Caller Logon ID
Caller Process ID
Source Network Address
If you notice this repeatedly from the same computer (it shows the workstation
name and IP) then you can take appropriate actions.