IP address shows as a hyphen for failed remote desktop connections in Event Log

Question

I am trying to figure out why failed remote desktop connections (from Windows remote desktop) show the client ip address as a hyphen. Here is the event log I get when I type the wrong password for an account (the server is completely external to my home computer):

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-25T19:22:14.694177500Z" />
    <EventRecordID>1658501</EventRecordID>
    <Correlation />
    <Execution ProcessID="544" ThreadID="12880" />
    <Channel>Security</Channel>
    <Computer>[Delete for Security Purposes]</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">[Delete for Security Purposes]</Data>
    <Data Name="TargetDomainName">[Delete for Security Purposes]</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">MyComputer</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

Have found nothing online and am trying to stop terminal services attacks. Any insight is appreciated, I have found nothing online after several hours of seraching...

possible duplicate of [Event Logging IPAddress does not always resolve](http://stackoverflow.com/questions/1734635/event-logging-ipaddress-does-not-always-resolve) — jjxtra, Mar 25 '12 at 19:38

score 1 · Answer 1 · edited Oct 21 '12 at 22:57

This is a feature of TLS/SSL encryption of remote desktop. Using the RDP encryption instead (original protocol encryption) you will see all of the IP addresses in 4625 audit messages.

Read more about how to configure RDP sessions and which trade-offs to make.

Having the right intrusion detection and defense system installed, you can simply lock out the attackers, which might make the old encryption more secure than the new one, because if you don't know who the bad guy is, you can't lock him out.

score 1 · Answer 2 · edited May 23 '17 at 11:52

1

The answer is here, there are some settings to tweak in local security policy:

Event Logging IPAddress does not always resolve

edited May 23 '17 at 11:52

Community

1
1

answered Mar 25 '12 at 19:38

jjxtra

20,415
16
100
140

IP address shows as a hyphen for failed remote desktop connections in Event Log

2 Answers2