I guess I was thrown off by the fact that the one server I tested is a Web server with a redirect to a page that asks for credentials. I think that no matter what directory I put at the end of the path, it will redirect. I’ve since tried others and I get nothing.
*From:* [email protected] [mailto: [email protected]] *On Behalf Of *J- P *Sent:* Wednesday, April 8, 2015 9:22 PM *To:* NT *Subject:* RE: [NTSysADM] Remote logon attempts 4625 but this is not an RDS server, just a standard 08r2 member server. I believe the RDWEB role needs to be installed (someone please chime in if I'm mistaken) Jean-Paul Natola ------------------------------ From: [email protected] Date: Wed, 8 Apr 2015 10:29:51 -0400 Subject: RE: [NTSysADM] Remote logon attempts 4625 To: [email protected] RDP Web access seems to be default. Try this from your web brower: http://SERVER_Name/rdweb You just made me realize a security weakness I hadn’t even considered before. I’ll have to check our Windows Internet facing Web servers. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *J- P *Sent:* Tuesday, April 7, 2015 12:36 PM *To:* NT *Subject:* [NTSysADM] Remote logon attempts 4625 Hi all, Have an internet facing time-clock server , the network firewall has port 80 ONLY forwarding to the server, i'm starting to see hundreds of event 4625's coming from global IP addresses (China, Malaysia, russia etc,,) If the firewall only has port 80 forwarded, how are they attempting RDP (Logon Type 10) here is one such example; An account failed to log on. Subject: Security ID: SYSTEM Account Name: *SERVER_Name*$ Account Domain: *DOMAIN_ NAME* Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: administrator Account Domain: *SERVER_Name* Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x1424 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: *SERVER_Name* Source Network Address: 60.52.25.18 (Malaysia IP ) Source Port: 4750 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 Jean-Paul Natola
