In a Windows Server's Event Viewer we found nearly 30,000+ logs which is of Event ID 4625 . Provided one detail. Each are similar with different logontype and Process Name. In firewall we have blocked every port except three RDP, DB and App Server. What is the reason behind it ? We feel that someone is attacking the server and making the server down. Is it true ? How to control this threat? Every minute 100s of event generating.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2016-04-02T04:59:46.124337300Z" />
<EventRecordID>428136</EventRecordID>
<Correlation />
<Execution ProcessID="468" ThreadID="532" />
<Channel>Security</Channel>
<Computer>application-server</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">APPLICATION-SER$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">APPLICATION-SER</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">10</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">APPLICATION-SER</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0xd4c</Data>
<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
<Data Name="IpAddress">198.217.30.23</Data>
<Data Name="IpPort">55751</Data>
</EventData>
</Event>
