事件4625窗口安全审核无法登录。失败原因：未知用户名或密码错误 [英] Event 4625 windows security auditing failed to logon. Failure reason:unknown user name or bad password

问题描述

I have Windows server 2012 R2 azure virtual instance and few ports are open on it i.e. (80,443,RDC). I have observed the below logs into windows event viewer in security section.

Event 4625 : Microsoft windows security auditing

-------log description start
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ALLISON
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

-------log description end

The logs are continuously generating in event viewer (3-4 request per second) and account name always changes as mention below.

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ATCNSBAYFG
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SUPPORT
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SUPPORT
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: HAYLEY
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TEST5
and more...

What I have tried:

<pre>What I tried:
1. Disabled the all open ports from azure portal even RDC.
2. Disabled the Windows Essentials services.
3. Disabled Alert Evaluations task from windows scheduler.

but still the logs are generating in event viewer. Is this windows attacked or some thing else? and how to prevent this?

推荐答案

看起来像尝试用户名/密码组合登录的脚本。

除了远程（类型字段== 3）且用户不存在（0xC0000064）之外，没有太多信息。遗憾的是，没有记录源IP地址。如果是这样，可以验证它可能来自被黑客入侵的服务器或带有拨号IP的受感染家用PC。



要知道尝试的来源你必须安装网络嗅探器或监视器，并使用时间戳和数据包类型查找数据包。



除了限制连接之外，您无法对此类尝试做任何事情/使用白名单进行远程登录（允许连接/登录的IP列表或范围）。



虽然日志被淹没可能很烦人，但不应禁用日志记录。

Looks like a script that tries username/password combinations to log in.
There is not much information besides that it is remote (type field == 3) and the user does not exist (0xC0000064). Unfortunately there is no source IP adress logged. If so it could be verified that it is probably from a hacked server or an infected home PC with a dial-up IP.

To know the origin of the attempts you have to install a network sniffer or monitor and find the packets using the time stamps and the packet types.

There is nothing you can do against such attempts besides restricting connections / remote logins using white lists (list of IPs or ranges that are allowed to connect / login).

While it may be annoying that the logs are flooded, logging should not be disabled.

根据我的研究，我建议您关注以下链接。



https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in -windows-operating-systems



https://technet.microsoft.com/en-us/library/bb463166.aspx



https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/



希望有所帮助

Based on my research, I would suggest you following below links.

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

https://technet.microsoft.com/en-us/library/bb463166.aspx

https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

Hope it helps

这篇关于事件4625窗口安全审核无法登录。失败原因：未知用户名或密码错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！