So I just opened 3389 (for testing) and attempted to remote in from outside
using incorrect credentials, the event is still 4625, HOWEVER, it is not logon
type 10 (as the previous entries are ) it was a type 3
So now I'm really confused as I was under the impression that type 10 was RDP,
but clearly from my test RDP is TYPE 3
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: administrator
Account Domain: X201
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Logon Type 10 – RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop
or Remote Assistance windows logs the logon attempt with logon type 10
which makes it easy to distinguish true console logons from a remote
desktop session.
Jean-Paul Natola
Date: Tue, 7 Apr 2015 12:52:24 -0400
Subject: RE: [NTSysADM] Remote logon attempts 4625
From: [email protected]
To: [email protected]
You might want.to validate.the.fw.rules.that only.port 80 is.open. also
Ed
On Apr 7, 2015 12:43 PM, "Kennedy, Jim" <[email protected]> wrote:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
Check to see if it is set to answer on 80
From: [email protected] [mailto:[email protected]]
On Behalf Of J- P
Sent: Tuesday, April 7, 2015 12:37 PM
To: NT
Subject: [NTSysADM] Remote logon attempts 4625
Hi all,
Have an internet facing time-clock server , the network firewall has port 80
ONLY forwarding to the server,
i'm starting to see hundreds of event 4625's coming from global IP addresses
(China, Malaysia, russia etc,,)
If the firewall only has port 80 forwarded, how are they attempting RDP (Logon
Type 10)
here is one such example;
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER_Name$
Account Domain: DOMAIN_ NAME
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: administrator
Account Domain: SERVER_Name
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x1424
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SERVER_Name
Source Network Address: 60.52.25.18 (Malaysia IP )
Source Port: 4750
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Jean-Paul Natola
