Windows Web Server Login Attempts – Valuable Tech Notes

We have a cloud web server serving several e-commerce websites, which is running Windows Server 2008 R2 and IIS 7.5. We access the server via RDC.

After looking at the windows security log I can see many many login attempts, which are events:

4776 – The computer attempted to validate the credentials for an account.
4625 – An account failed to log on.

The username in the log is 'administrator', which we don't have, we use a different windows login as our admin, and we have a complex password. So I'm not worried about someone actually getting into our server, the thing that worries me is the server resources being used.

I know we can lock down RDC access using the windows firewall, so that only our IP is accepted. However I don't know how these login attempts are being done. I don't know if we can distinguish between these login attempts and normal HTTP traffic (our customers).

Can we use the windows firewall to block these login attempts, but not block our RDC access or our customers visiting our websites..?

UPDATE:

From the security log:

Event 4625 - An account failed to log on.

Subject:
    Security ID:        SYSTEM
    Account Name:       [our_server_name]$
    Account Domain:     Workgroup
    Logon ID:       0x3e7

Logon Type:         10

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       Administrator
    Account Domain:     [our_server_name]

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc0000064

Process Information:
    Caller Process ID:  0xa44
    Caller Process Name:    C:\Windows\System32\winlogon.exe

Network Information:
    Workstation Name:   [our_server_name]
    Source Network Address: 198.50.172.109
    Source Port:        62246

Detailed Authentication Information:
    Logon Process:      User32 
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

Best Answer

Since you mention Remote Desktop in your question I'll assume that you have Remote Desktop open to the Internet, in which case it's nearly a certainty that these failed logons are coming from Remote Desktop-based brute force attempts.

The details of the Event 4625 messages will tell you what's actually happening. A Remote Desktop logon attempt will show the "Caller Process ID:" as 0x0 and the "Caller Process Name" as -.

Since you say you're not using any authentication on your websites these entries can't be related to clients accessing websites. The "Caller Process Name" would be C:\Windows\System32\inetsrv\w3wp.exe on an IIS-based logon, just in case you want to check.

You shouldn't open Remote Desktop up to the entire Internet. Lock it down to authorized IP addresses at a bare minimum.

Edit:

You can get winlogon.exe as the "Caller Process Name" for invalid Remote Desktop-based logons, too. I'm not able to give you the exact mix of RDP security layer and Windows versions necessary to make it happen but, yes, it's safe to say these are failed Remote Desktop logons.

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Windows – troubling anonymous Logon events in Windows Security event log

Related Topic