How to Troubleshoot Audit Failure Event 4625

If you get hundreds of these 4625 events, it is probably because your server has remote desktop enabled and your server is facing the internet.  For example, your server may be on the AWS or Azure with RDP port 3389 allowed for any public source IPs. 

 

Cloud Network Firewall Fix:

Assuming you keep remote desktop service running, then you should configure AWS / Azure Security Group’s inbound rules to allow only your IP to connect to port 3389.  All these events should stop occurring.   In summary, you are blocking all IP addresses except yours.

Windows Server Firewall Fix:

As usual, please backup your servers.  If you block your own IP from accessing server’s remote desktop port using Windows Server firewall, you need to do a restore.

What if you cannot just do block all and except? or maybe you want to find out the specific IP that is causing that event?

If you examine the event, you will see that there is no network info: workstation name, source network address, source port.  I will show to how to find out the source network address.

In fact, there is little useful info.  We know Logon Type: 3 means a “network logon”.

We know Account Name: “ADMIN1” does not exist on our server and so it is a guessed account name.  The Sub Status: 0xc0000064 confirms that.

If you see Account Name: “Administrator” and the Sub Status: 0xc000006a means the hacker guess the wrong password.

You need to write a key info and that is the event date time (in Event Xml), down to the sub seconds level.

You download and run Process Monitor (not Process Explorer).  You run it and let it start capturing data.  When you see a new event 4625, you can stop the capture and start looking through the big log.  You locate the log entries closest to the event date time.  You may see errors such as LOGON FAILURE or NAME NOT FOUND.  Go backward in time, you may come across some logs regarding remote desktop connection.  Note “ms-wbt-server” is port 3389, used by RDP.

SNAGHTML653973

It tells you the source IP of the machine trying to connect and logon.  That is the source IP you can add to Windows Firewall and block.

Again, DO NOT BLOCK your own IP.  Otherwise, you cannot remote desktop to the server any more.

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:        –
    Account Domain:        –
    Logon ID:        0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        ADMIN1
    Account Domain:       

Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xc000006d
    Sub Status:        0xc0000064

Process Information:
    Caller Process ID:    0x0
    Caller Process Name:    –

Network Information:
    Workstation Name:   
    Source Network Address:    –
    Source Port:        –

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    –
    Package Name (NTLM only):    –
    Key Length:        0

 

 

Reference:

https://www.mcbsys.com/blog/2014/10/use-process-monitor-to-find-event-4625/

Advertisements

Setup IIS FTP Service Passive Mode Ports

If you have an IIS with FTP passive mode enabled, you probably want to specify the port range for data channels.  That way, you can specify the port ranges in your firewall.

SNAGHTML5c5e5e85

For example, you can specify IIS server’s “FTP Firewall Support”.  For example, you can specify The Data Channel Port Range to go from port 5000 to port 5100.

Click “Apply”.  You must restart your Microsoft FTP Service in order for the port range to take effect.  Doing “iisreset” is not be sufficient.

Troubleshooting Tip:

If you test it using FileZilla client, you should set the debug to level 3 verbose in order to see the data channel port requested by the server.

The key info you are looking for is the following:

SNAGHTML5c62643e

227 Entering Passive Mode (a1,a2,a3,a4,p1,p2).

The data channel post is p1*256 + p2. 

Thus,

227 Entering Passive Mode (54,20,20,88,228,225). would mean using port 58593.

Make sure that port is specified by IIS FTP and it is allowed by the firewall inbound rules.

Reference:

http://slacksite.com/other/ftp.html

http://www.serv-u.com/respcode.asp?resp=227

How to Reduce Spam Mail

 

To opt out of credit card/insurance offers, go to www.optoutprescreen.com.  It is free.  You need to fill out your date of birth and social security #.

To reduce incoming telemarketing calls, go to www.donotcall.gov.  It is free.

To opt out of mail catalogs, magazines, etc, go to www.DMAchoice.org. The cost is $2 for 10 years.

Reference:

Here is the official instructions from FTC:

https://www.consumer.ftc.gov/articles/0262-stopping-unsolicited-mail-phone-calls-and-email