You might want.to validate.the.fw.rules.that only.port 80 is.open. also Ed On Apr 7, 2015 12:43 PM, "Kennedy, Jim" <[email protected]> wrote:
> > > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal > Server\WinStations\RDP-Tcp > > > > Check to see if it is set to answer on 80 > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *J- P > *Sent:* Tuesday, April 7, 2015 12:37 PM > *To:* NT > *Subject:* [NTSysADM] Remote logon attempts 4625 > > > > Hi all, > > > Have an internet facing time-clock server , the network firewall has port > 80 ONLY forwarding to the server, > > i'm starting to see hundreds of event 4625's coming from global IP > addresses (China, Malaysia, russia etc,,) > > If the firewall only has port 80 forwarded, how are they attempting RDP > (Logon Type 10) > > > here is one such example; > > An account failed to log on. > > Subject: > Security ID: SYSTEM > Account Name: *SERVER_Name*$ > Account Domain: *DOMAIN_ NAME* > Logon ID: 0x3e7 > > Logon Type: 10 > > Account For Which Logon Failed: > Security ID: NULL SID > Account Name: administrator > Account Domain: *SERVER_Name* > > Failure Information: > Failure Reason: Unknown user name or bad password. > Status: 0xc000006d > Sub Status: 0xc000006a > > Process Information: > Caller Process ID: 0x1424 > Caller Process Name: C:\Windows\System32\winlogon.exe > > Network Information: > Workstation Name: *SERVER_Name* > Source Network Address: 60.52.25.18 (Malaysia IP ) > Source Port: 4750 > > Detailed Authentication Information: > Logon Process: User32 > Authentication Package: Negotiate > Transited Services: - > Package Name (NTLM only): - > Key Length: 0 > > > > Jean-Paul Natola > >
