0

I'm encountering multiple failed logon events '4625' on my Windows terminal server. I was quite sure this was due to RDP access from outside. I have closed RDP access from outside but I'm still having tons of failed logon events.

The username of these attempts is randomly generated. The bad thing is that the source IP is empty.

I cannot shutdown the terminal server during business hours. What is the way forward to troubleshoot / solve this issue?

Daniel K
  • 649
  • 1
  • 4
  • 16
user2307236
  • 101
  • 1
  • 1
    Use something like wirsehark on the terminal server to find out where the connection attempts are coming from and then proceed from there – Drifter104 May 30 '19 at 14:52
  • Can you guide me what I have to search from wire shark. – user2307236 May 30 '19 at 15:00
  • Start here > https://www.wireshark.org/download.html and then google is your friend, it is fairly straight forward to filter traffic etc – Drifter104 May 30 '19 at 15:06
  • What version of Windows is this? – Daniel K May 30 '19 at 15:54
  • You might find this technote helpful: https://social.technet.microsoft.com/Forums/windows/en-US/9aae317a-1482-49de-b88b-7a6ff73deead/event-id-4625-logon-type-3-how-to-discover-from-where-the-login-is-being-attempted?forum=winserversecurity – Ron Trunk May 30 '19 at 16:10

1 Answers1

1

Starting with Windows 7 and Windows Server 2008 R2, network capture has been built-in and native to the Windows OS. There is a good blog post to get you started here.

You can set up a capture filter to only capture traffic to port 3389 (RDP) and then look at the capture using Network Monitor 3.3 (download from Microsoft). It should be fairly easy to see the RDP connection attempts and it would be impossible to hide the source IP.

An valid alternative to the native tools would be Wireshark.

Daniel K
  • 649
  • 1
  • 4
  • 16