Windows Security Log and Audit Failures
I suppose I will answer what I have learned in the 6 or so months since I posted this question.
I monitored a Windows Server, connected to a static IP address, with basic security in place (firewall, shut down unnecessary windows services, etc). I found that if I left FTP, using IIS 6 running, I would get 30,000 to 60,000 random login attempts a month. Some months were worse than others, bulk login attempts came in every shape and size. They tried lots of login names, sometimes tried the same name a lot.
When I stopped the FTP service the login attempts stopped.
We also implemented a solid procedure for backing up the Event Log so that large login attempts can't be used to cover up other activity by clogging the Event Log.
I'll accept other answers if anyone else has any experience with this. Otherwise I'll leave this answer for anyone interested.