It is fairly easy to log the source IP address of a connection with network sniffing devices and the logs that are available on managed switches. Windows servers can be configured to audit object access so you can see when logon attempts occur.
You should set your password policies in the domain to lock accounts after a certain number of attempts. I recommend three attempts as a threshold. You should also configure the policy to reset the account after 15 minutes (less administrative overhead). This is the best practice for protecting yourself from dictionary attacks and password guessing.
Password guessing/dictionary attacks are really just one of many security issues you face as a Microsoft Exchange administrator. If you are very serious about protecting your Exchange servers from internal attacks, you might want to consider using an ISA server to control even internal access. ISA includes built-in intrusion detection settings that could also be beneficial to you.
For bonus reading, search the Internet for behavior-based intrusion detection systems. These systems learn your network behavior and then take actions when something like a dictionary attack begins -- like quarantining the source IP/MAC address.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Dig Deeper on Exchange Server setup and troubleshooting
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.