none
Network (IP) address is no longer listed as the source of multiple failed login attempts - Events 4776 in Windows 2008 R2

    Question

  • Our Windows 2008R2 security log is full of failed login attempt events 4776, but we're unable to block them because no IP address is provided for the network source of these attempts - like it was in Windows 2003 Server.

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/26/2012 2:32:27 AM
    Event ID:      4776
    Task Category: Credential Validation
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      MAIL.XYZ.COM
    Description:
    The computer attempted to validate the credentials for an account.

    Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account:    admin
    Source Workstation:    MAIL
    Error Code:    0xc0000064
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4776</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>14336</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-09-26T06:32:27.570062500Z" />
        <EventRecordID>18318</EventRecordID>
        <Correlation />
        <Execution ProcessID="452" ThreadID="540" />
        <Channel>Security</Channel>
        <Computer>MAIL.XYZ.COM</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
        <Data Name="TargetUserName">admin</Data>
        <Data Name="Workstation">MAIL</Data>
        <Data Name="Status">0xc0000064</Data>
      </EventData>
    </Event>

    Saturday, September 29, 2012 1:27 PM

All replies

  • Looks like it came from computer named MAIL So maybe internal?

     0xc0000064 = user name does not exist (admin)

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, September 29, 2012 3:01 PM
  • The user names are all different in these log events, and they constantly change, which may indicate a hacking attempt.  However, in Windows 2003 these type of events looked like this, showing the IP address the request came from, so we could trace and block them -- but not in Windows 2008:

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: s
    Domain: MAIL
    Logon Type: 10
    Logon Process: User32 
    Authentication Package: Negotiate
    Workstation Name: MAIL
    Caller User Name: MAIL$
    Caller Domain: XXXX
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 3728
    Transited Services: -
    Source Network Address: 202.67.170.186
    Source Port: 57365



    • Edited by Nafigator Sunday, September 30, 2012 4:12 PM
    Sunday, September 30, 2012 3:01 PM
  • That looks like a 529 failure audit. Do you find event 4625

    Also note;

    http://support.microsoft.com/default.aspx?scid=kb;en-us;2157973

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sunday, September 30, 2012 4:32 PM
  • No.  Like I said - the log is FULL of events 4776, and neither the Windows 2008R2 system, or the link to "EventLog Online Help" can tell me where these failing login attempts are coming from.  This is so disappointing - a simple, previously existing and extremely helpful functionality (source network address) appears to have been lost in the next version of Microsoft OS product ???...
    Monday, October 01, 2012 4:43 AM
  • It looks like by default there are nine basic security audit policies. This article will guide in enabling 53 more specific events which will hopefully give you the desired result.

    http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, October 01, 2012 2:00 PM
  • I keep reading it, but not finding anything related to what information is captured for failed login events...
    Tuesday, October 02, 2012 7:54 PM
  • I'd start with at least this one.

    http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx

    Shown is local sec pol.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, October 03, 2012 1:18 AM
  • Did you ever get the IP adresse logged? Or find any other solution to your problem?
    Monday, October 14, 2013 3:55 PM
  • I actually found an answer after some looking, and thought I would share my findings here for others in the same situation to see :-)

    The reason I had no ip address in my audit log, was that the hacking attampt (as I found out it was) was using the SMTP to try and brute force its way in. So when I got out my SMTP-recieve log, I found all the coorosponding tries to authenticate through the SMTP - and that way find users on my Network.

    My solution was a bit hard, the 16bit chinese net got blocked in my firewall, and now I have much less of a problem.

    Monday, October 14, 2013 7:47 PM
  • Hi Brian,

    Hope you can read this.

    I'm having the same issue and I haven't found anything useful in my googling sessions.

    The difference is that is the same server who originates the authentication attempts.

    The affected DC is not an Exchange server however I will check Exchange's SMTP-Receive logs.

    How did you noticed it by reading the SMTP-Receive logs?

    Monday, January 13, 2014 5:42 AM