Several Audit Failures Messages in the Event logs with Even ID 4625

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Several Audit Failures Messages in the Event logs with Even ID 4625 was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, active-directory, security, azure, domain-controller.

We have 3 VM’s (All win 2012 R2) deployed on Azure. Today i noticed that since Dec 9th, there have been several Logon Failures messages getting logged in the Security logs on all the servers. It appears that there are random sign-in attempts. Few examples of the errors are below. As you can see the Account Names are random and none of those users belongs to our AD deployment. I’m not sure if this is like a Brute Force attack, but this is concerning me. Our Intrusion Detection software identified the IP’s of those Logon attempts and blocked the IP’s as it considered it as an Intrusion attempts. So far it has blocked more than 400 IP’s. But, my concern is, how can i permanently block those connections? Also, what are the downsides of those IP’s blacklisting? Would appreciate any assistance.

An account failed to log on.

Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:
-
Logon ID:  0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:  BLARSEN
An account failed to log on.

Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:
-
Logon ID:  0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:  Jobs
An account failed to log on.

Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:
-
Logon ID:  0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:  EDUARDO

To address a couple points:

  • Brute force attack: I agree that this is most likely what this is
  • Downsides to blocking those IPs: If these IPs are spoofed, or used from VPN services, there could be future legitimate traffic that gets blocked if you ban them. I would argue the risk is low and you could address those as they get reported.
  • How to block: this depends on your security design. Firewall is a great place to start. Sounds like your IDS is already doing a good job.
  • Why are these ports available to the public in the first place? You ought to re-evaluate your security design and see if there’s a way to restrict access to these entry points. There’s seldom a good reason to directly expose Windows server ports to the public. Even an IIS server ought to have a good front end filtering traffic.

Leave a Reply

Your email address will not be published.