Diagnosing Logon Audit Failure event log entries
Posted
by
Scott Mitchell
on Server Fault
See other posts from Server Fault
or by Scott Mitchell
Published on 2012-03-26T16:15:11Z
Indexed on
2012/03/26
17:32 UTC
Read the original article
Hit count: 294
I help a client manage a website that is run on a dedicated web server at a hosting company. Recently, we noticed that over the last two weeks there have been tens of thousands of Audit Failure entries in the Security Event Log with Task Category of Logon - these have been coming in about every two seconds, but interesting stopped altogether as of two days ago.
In general, the event description looks like the following:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: ...The Hosting Account...
Account Domain: ...The Domain...
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: david
Account Domain: ...The Domain...
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x154c
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: ...The Domain...
Source Network Address: 173.231.24.18
Source Port: 1605
The value in the Account Name field differs. Above you see "david" but there are ones with "john", "console", "sys", and even ones like "support83423" and whatnot.
The Logon Type field indicates that the logon attempt was a remote interactive attempt via Terminal Services or Remote Desktop. My presumption is that these are some brute force attacks attempting to guess username/password combinations in order to log into our dedicated server. Are these presumptions correct?
Are these types of attacks pretty common? Is there a way to help stop these types of attacks? We need to be able to access the desktop via Remote Desktop so simply turning off that service is not feasible.
Thanks
© Server Fault or respective owner