1

I have several public servers that we remote in to through remote desktop services. I have Remote Desktop - User Mode (tcpip-in) set to only allows specific remote ip addresses through. I have checked and the windows firewall is enabled. I have all of the other rules for remote desktop disabled.

I am still getting events such as these in my event log:

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       Administrator
    Account Domain:     

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xC000006D
    Sub Status:     0xC0000064

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   \\94.102.52.22
    Source Network Address: 94.102.52.22
    Source Port:        54358

I do not have the option for a hardware firewall so I have to rely on the windows firewall, which has been fine up till now.

How are they able to get to the login option to begin with? Shouldn't the windows firewall block them before they get that far?

chicks
  • 3,793
  • 10
  • 27
  • 36
Concerned Citizen
  • 11
  • 2
  • 3
    Logon Type 3 is a network logon, but it isn't an RDP logon attempt. An RDP logon attempt is Logon Type 10: Remote Interactive. To get more detail about what type of network logon this is you may need to run a packet capture (such as Wireshark) on the server until you see a new event in the event log. Then filter the Wireshark capture for the source address and analyze what type of traffic is related to the logon attempt. – joeqwerty Oct 04 '16 at 03:45

0 Answers0