Remote Desktop failed logon event 4625 not logging IP address on 2008 Terminal Services server

loggingterminal-serverwindows-server-2008-r2

When I use the new remote desktop with ssl and try to log on with bad credentials it logs a 4625 event as expected. The problem is, it doesn't log the ip address, so I can't block malicious logons in our firewall. The event looks like this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{00000000-0000-0000-0000-000000000000}" /> 
        <EventID>4625</EventID> 
        <Version>0</Version> 
        <Level>0</Level> 
        <Task>12544</Task> 
        <Opcode>0</Opcode> 
        <Keywords>0x8010000000000000</Keywords> 
        <TimeCreated SystemTime="2012-04-13T06:52:36.499113600Z" /> 
        <EventRecordID>467553</EventRecordID> 
        <Correlation /> 
        <Execution ProcessID="544" ThreadID="596" /> 
        <Channel>Security</Channel> 
        <Computer>ontheinternet</Computer> 
        <Security /> 
    </System>
    <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data> 
        <Data Name="SubjectUserName">-</Data> 
        <Data Name="SubjectDomainName">-</Data> 
        <Data Name="SubjectLogonId">0x0</Data> 
        <Data Name="TargetUserSid">S-1-0-0</Data> 
        <Data Name="TargetUserName">notauser</Data> 
        <Data Name="TargetDomainName">MYSERVER-PC</Data> 
        <Data Name="Status">0xc000006d</Data> 
        <Data Name="FailureReason">%%2313</Data> 
        <Data Name="SubStatus">0xc0000064</Data> 
        <Data Name="LogonType">3</Data> 
        <Data Name="LogonProcessName">NtLmSsp</Data> 
        <Data Name="AuthenticationPackageName">NTLM</Data> 
        <Data Name="WorkstationName">MYSERVER-PC</Data> 
        <Data Name="TransmittedServices">-</Data> 
        <Data Name="LmPackageName">-</Data> 
        <Data Name="KeyLength">0</Data> 
        <Data Name="ProcessId">0x0</Data> 
        <Data Name="ProcessName">-</Data> 
        <Data Name="IpAddress">-</Data> 
        <Data Name="IpPort">-</Data> 
    </EventData>
</Event>

It seems because the logon type is 3 and not 10 like the old rdp sessions, the ip address and other information is not stored.

The machine I am trying to connect from is on the internet and not on the same network as the server.

Does anyone know where this information is stored (and what other events are generated with a failed logon)?

Any help will be much appreciated.

Best Answer

Using TLS/SSL as encryption for the RDP protocol, Windows does not log the IP address of the user trying to log in. When you configure the server to encrypt the protocol with the (legacy) RDP encryption, it writes the IP address into the security event log.

You will have to make a trade-off. Either you will have a less secure protocol encryption or you will never know the source of a potential attack. Having the right intrusion detection system (can be downloaded for free), the system will automatically lock out the potential attacker after a defined number of invalid logins.

Read more about RDP security and intelligent intrusion detection and defense here: https://cyberarms.net/security-blog/posts/2012/june/remote-desktop-logging-of-ip-address-(security-event-log-4625).aspx

Related Topic