Yesterday it was discovered the SBS2003 server was accessible from the Internet for a remote desktop connection on the default port. This was discovered because the administrator was sent an email about event 539 "An account was locked out due to multiple failed logon attempts...". As a result someone had been trying to login about every 10 seconds. Happily they were not successfull. The rule in the firewall appliance allowing RDC to the server has been removed. No one can remember when or why the rule was created.
My question is did the hacker finally make too many attempts using the same legimate account. Seems unllikely with so many attempts this did not occur before. Did the server fail to send the email notice previously? Also can SBS2003 alert you if someone tries to login repeatedly using an account that does not exist like say admin or supervisor?
Thanks,
John