It is fairly easy to log the source IP address of a connection with network sniffing devices and the logs that are available on managed switches. Windows servers can be configured to audit object access so you can see when logon attempts occur.
You should set your password policies in the domain to lock accounts after a certain number of attempts. I recommend three attempts as a threshold. You should also configure the policy to reset the account after 15 minutes (less administrative overhead). This is the best practice for protecting yourself from dictionary attacks and password guessing.
Password guessing/dictionary attacks are really just one of many security issues you face as a Microsoft Exchange administrator. If you are very serious about protecting your Exchange servers from internal attacks, you might want to consider using an ISA server to control even internal access. ISA includes built-in intrusion detection settings that could also be beneficial to you.
For bonus reading, search the Internet for behavior-based intrusion detection systems. These systems learn your network behavior and then take actions when something like a dictionary attack begins -- like quarantining the source IP/MAC address.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
This was first published in November 2005