If you get hundreds of these 4625 events, it is probably because your server has remote desktop enabled and your server is facing the internet. For example, your server may be on the AWS or Azure with RDP port 3389 allowed for any public source IPs.
Cloud Network Firewall Fix:
Assuming you keep remote desktop service running, then you should configure AWS / Azure Security Group’s inbound rules to allow only your IP to connect to port 3389. All these events should stop occurring. In summary, you are blocking all IP addresses except yours.
Windows Server Firewall Fix:
As usual, please backup your servers. If you block your own IP from accessing server’s remote desktop port using Windows Server firewall, you need to do a restore.
What if you cannot just do block all and except? or maybe you want to find out the specific IP that is causing that event?
If you examine the event, you will see that there is no network info: workstation name, source network address, source port. I will show to how to find out the source network address.
In fact, there is little useful info. We know Logon Type: 3 means a “network logon”.
We know Account Name: “ADMIN1” does not exist on our server and so it is a guessed account name. The Sub Status: 0xc0000064 confirms that.
If you see Account Name: “Administrator” and the Sub Status: 0xc000006a means the hacker guess the wrong password.
You need to write a key info and that is the event date time (in Event Xml), down to the sub seconds level.
You download and run Process Monitor (not Process Explorer). You run it and let it start capturing data. When you see a new event 4625, you can stop the capture and start looking through the big log. You locate the log entries closest to the event date time. You may see errors such as LOGON FAILURE or NAME NOT FOUND. Go backward in time, you may come across some logs regarding remote desktop connection. Note “ms-wbt-server” is port 3389, used by RDP.
It tells you the source IP of the machine trying to connect and logon. That is the source IP you can add to Windows Firewall and block.
Again, DO NOT BLOCK your own IP. Otherwise, you cannot remote desktop to the server any more.
An account failed to log on.
Security ID: NULL SID
Account Name: –
Account Domain: –
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ADMIN1
Failure Reason: Unknown user name or bad password.
Sub Status: 0xc0000064
Caller Process ID: 0x0
Caller Process Name: –
Source Network Address: –
Source Port: –
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: –
Package Name (NTLM only): –
Key Length: 0