Lots of 4625 logons on Front End server security log RRS feed

  • Question

  • Hi all,

    I recently found that there were some unknown users added to local admin group on my front end servers, upon further investigation i found that there are lots of 4625 event ids in my security log. many were from public ip addresses which i have added to deny list on my firewall. But the following events are very strange. They all are coming from the same computer AND there are hundreds of them all trying different usernames (like admin, user1, print1). Looks more like a dictionary attack to me unless someone can give a better explanation. Here an example of one event:

    An account failed to log on.

    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: visitor
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: WindowsMachine
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    Wednesday, May 25, 2016 3:14 PM


  • You should find out who own that computer if possible. Maybe it is domain joined computer. This seems like insider job.

    Please check which account is member of any RTC* groups by running this:

    Get-ADUser -Filter * -SearchBase "DC=domain,DC=local" -SearchScope Subtree -Properties MemberOf | Where {[string]$_.memberOf -Like "*rtc*"| out-gridview

    Where any of those accounts used for "hacking" member of any RTC groups?

    This guide might be helpful for you (for protecting edge server): https://technet.microsoft.com/fr-fr/library/dn879446%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    • Proposed as answer by Eason Huang Thursday, May 26, 2016 7:51 AM
    • Marked as answer by Eason Huang Sunday, June 5, 2016 12:31 PM
    Wednesday, May 25, 2016 6:17 PM