Server 2008 R2, event ID 4625 error with logon type 10
Hello,
We have a client who has a 2008 R2 server that is getting a lot of security audit logs (event id 4625). What's ominous is that the userid listed is "user32." Not sure if this is a potential security attack or not. Some people access this server because
it's a Microsoft Dynamics SL server and they would access it using RDP. See the error log below. Thanks!
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/5/2011 8:25:52 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVERNAME.DOMAIN.com
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: DOMAIN
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: a
Account Domain: SERVERNAME
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x110c
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: 168.93.99.245
Source Port: 2034
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
November 14th, 2011 3:59pm
Somebody tries to log in as user "a". If the IP subnet 168.93.99.xx is not within your trusted network, you might be under attack. To prevent attacks like this, you can simply install an intelligen intrusion detection and defense software like Cyberarms
Intrusion Detection. You can download a free edition here:
https://cyberarms.net/intrusion-detection/free-download.aspx
This should help you blocking attackers after some tries.
Max
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2012 10:19pm