Remote Desktop failed logon event 4625 not logging correctly on 2008 Terminal Services server

Posted by Zone12 on Server Fault See other posts from Server Fault or by Zone12
Published on 2012-04-13T07:29:37Z Indexed on 2012/06/30 3:17 UTC
Read the original article Hit count: 477

When I use the new remote desktop with ssl and try to log on with bad credentials it logs a 4625 event as expected. The problem is, it doesn't log the ip address, so I can't block malicious logons in our firewall. The event looks like this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{00000000-0000-0000-0000-000000000000}" /> 
        <EventID>4625</EventID> 
        <Version>0</Version> 
        <Level>0</Level> 
        <Task>12544</Task> 
        <Opcode>0</Opcode> 
        <Keywords>0x8010000000000000</Keywords> 
        <TimeCreated SystemTime="2012-04-13T06:52:36.499113600Z" /> 
        <EventRecordID>467553</EventRecordID> 
        <Correlation /> 
        <Execution ProcessID="544" ThreadID="596" /> 
        <Channel>Security</Channel> 
        <Computer>ontheinternet</Computer> 
        <Security /> 
    </System>
    <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data> 
        <Data Name="SubjectUserName">-</Data> 
        <Data Name="SubjectDomainName">-</Data> 
        <Data Name="SubjectLogonId">0x0</Data> 
        <Data Name="TargetUserSid">S-1-0-0</Data> 
        <Data Name="TargetUserName">notauser</Data> 
        <Data Name="TargetDomainName">MYSERVER-PC</Data> 
        <Data Name="Status">0xc000006d</Data> 
        <Data Name="FailureReason">%%2313</Data> 
        <Data Name="SubStatus">0xc0000064</Data> 
        <Data Name="LogonType">3</Data> 
        <Data Name="LogonProcessName">NtLmSsp</Data> 
        <Data Name="AuthenticationPackageName">NTLM</Data> 
        <Data Name="WorkstationName">MYSERVER-PC</Data> 
        <Data Name="TransmittedServices">-</Data> 
        <Data Name="LmPackageName">-</Data> 
        <Data Name="KeyLength">0</Data> 
        <Data Name="ProcessId">0x0</Data> 
        <Data Name="ProcessName">-</Data> 
        <Data Name="IpAddress">-</Data> 
        <Data Name="IpPort">-</Data> 
    </EventData>
</Event>

It seems because the logon type is 3 and not 10 like the old rdp sessions, the ip address and other information is not stored.

The machine I am trying to connect from is on the internet and not on the same network as the server.

Does anyone know where this information is stored (and what other events are generated with a failed logon)?

Any help will be much appreciated.

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about logging