事件4625 Windows安全审核无法登录。 失败原因:用户名未知或密码错误
[英]Event 4625 windows security auditing failed to logon. Failure Reason:Unknown user name or bad password
问题描述
I have Windows server 2012 R2 azure virtual instance and few ports are open on it ie (80,443,RDC). 
我有Windows Server 2012 R2蔚蓝虚拟实例,并且很少打开端口,即(80,443,RDC)。 I have observed the below logs into windows event viewer in security section. 我在安全性部分观察到以下登录Windows事件查看器的日志。
Event 4625 : Microsoft windows security auditing 事件4625:Microsoft Windows安全审核
-------log description start -------日志说明开始
An account failed to log on. 帐户登录失败。
Subject: 学科:
Security ID: NULL SID 安全ID:NULL SID
Account Name: - 用户名: -
Account Domain: - 帐户域:-
Logon ID: 0x0 登录ID:0x0
Logon Type: 3 登录类型:3
Account For Which Logon Failed: 登录失败的帐户:
Security ID: NULL SID 安全ID:NULL SID
Account Name: ALLISON 帐户名称:ALLISON
Account Domain: 帐户域:
Failure Information: 故障信息:
Failure Reason: Unknown user name or bad password. 失败原因:未知的用户名或错误的密码。
Status: 0xC000006D 状态:0xC000006D
Sub Status: 0xC0000064 子状态:0xC0000064
Process Information: 处理信息:
Caller Process ID: 0x0 呼叫者进程ID:0x0
Caller Process Name: - 呼叫者进程名称:-
Network Information: 网络信息:
Workstation Name: 工作站名称:
Source Network Address: - 源网络地址:-
Source Port: - 源端口:-
Detailed Authentication Information: 详细的身份验证信息:
Logon Process: NtLmSsp 登录过程:NtLmSsp
Authentication Package: NTLM 身份验证程序包:NTLM
Transited Services: - 转运服务:-
Package Name (NTLM only): - 程序包名称(仅NTLM):-
Key Length: 0 密钥长度:0
This event is generated when a logon request fails. 登录请求失败时,将生成此事件。 It is generated on the computer where access was attempted. 它是在尝试访问的计算机上生成的。
The Subject fields indicate the account on the local system which requested the logon. 主题字段指示请求登录的本地系统上的帐户。 This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. 这是最常见的服务,例如服务器服务,或本地进程,例如Winlogon.exe或Services.exe。
The Logon Type field indicates the kind of logon that was requested. 登录类型字段指示所请求的登录类型。 The most common types are 2 (interactive) and 3 (network). 最常见的类型是2(交互式)和3(网络)。
The Process Information fields indicate which account and process on the system requested the logon. 进程信息字段指示系统上哪个帐户和进程请求登录。
The Network Information fields indicate where a remote logon request originated. 网络信息字段指示远程登录请求的来源。 Workstation name is not always available and may be left blank in some cases. 工作站名称并非始终可用,在某些情况下可能会留空。
The authentication information fields provide detailed information about this specific logon request. 身份验证信息字段提供有关此特定登录请求的详细信息。
- Transited services indicate which intermediate services have participated in this logon request. -转换的服务指示哪些中间服务已参与此登录请求。
- Package name indicates which sub-protocol was used among the NTLM protocols. -程序包名称指示在NTLM协议中使用了哪个子协议。
- Key length indicates the length of the generated session key. -密钥长度表示生成的会话密钥的长度。 This will be 0 if no session key was requested. 如果未请求会话密钥,则该值为0。
-------log description end -------日志说明结束
The logs are continuously generating in event viewer (3-4 request per second) and account name always changes as mention below. 日志会在事件查看器中不断生成(每秒3-4个请求),并且帐户名始终会更改,如下所述。
Account For Which Logon Failed:
登录失败的帐户:
Security ID: NULL SID安全ID:NULL SID
Account Name: ATCNSBAYFG帐户名称:ATCNSBAYFG Account For Which Logon Failed:
登录失败的帐户:
Security ID: NULL SID安全ID:NULL SID
Account Name: SUPPORT帐户名称:SUPPORT Account For Which Logon Failed:
登录失败的帐户:
Security ID: NULL SID安全ID:NULL SID
Account Name: SUPPORT帐户名称:SUPPORT Account For Which Logon Failed:
登录失败的帐户:
Security ID: NULL SID安全ID:NULL SID
Account Name: HAYLEY帐户名称:HAYLEY Account For Which Logon Failed:
登录失败的帐户:
Security ID: NULL SID安全ID:NULL SID
Account Name: TEST5帐户名称:TEST5
and more...和更多...
What I tried: 我试过的
1. Disabled the all open ports from azure portal even RDC. 1.禁用来自天蓝色门户甚至RDC的所有打开的端口。
2. Disabled the Windows Essentials services. 2.禁用Windows Essentials服务。
3. Disabled Alert Evaluations task from windows scheduler. 3.从Windows调度程序禁用警报评估任务。
but still the logs are generating in event viewer. 但仍然在事件查看器中生成了日志。 Is this windows attacked or some thing else? 这是Windows受到攻击还是其他原因? and how to prevent this? 以及如何预防呢?
1 个解决方案
解决方案1
0 2017-04-26 09:57:23
This event is generated when a logon request fails. 登录请求失败时,将生成此事件。 It is generated on the computer where access was attempted. 它是在尝试访问的计算机上生成的。
For testing, remove EVERYONE from folder and use local group Users with modify permission instead of EVERYONE. 为了进行测试,请从文件夹中删除“所有人”,然后使用具有修改权限的本地组“用户”代替“所有人”。
4625: An account failed to log on https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 4625:一个帐户无法登录https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
Some application usually use the guest account to achieve some function, if you worry about the safety you can keep the disable or enable base on your practical application. 某些应用程序通常使用来宾帐户来实现某些功能,如果您担心安全性,可以根据实际应用程序保持禁用或启用状态。
Can you turn on failure auditing for authentication attempts? 您可以为身份验证尝试打开失败审核吗?
Get help fro this auditing solution to track the source of failed logon attempts in Active Directory. 获得此审核解决方案的帮助,以跟踪Active Directory中登录失败尝试的来源。
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.