我们在开发和生产环境中共使用了7个
Windows Server(2008/2012)R2标准版.上个月我们的服务器遭到破坏,我们在Windows事件查看器中发现许多失败的尝试日志.我们尝试过cyberarms IDDS,但事先证明它并不好.
现在我们重新映像了所有服务器并重命名了Administrator / guest帐户.在再次设置服务器之后,我们使用this idds来检测和阻止不需要的IP地址.
IDDS工作正常,但我们仍然在事件查看器中获得4625个事件而没有任何源IP地址.如何阻止来自匿名IP地址的这些请求?
- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
- <System>
- <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/>
- <EventID>4625</EventID>
- <Version>0</Version>
- <Level>0</Level>
- <Task>12544</Task>
- <Opcode>0</Opcode>
- <Keywords>0x8010000000000000</Keywords>
- <TimeCreated SystemTime='2015-04-18T15:18:10.818780700Z'/>
- <EventRecordID>187035</EventRecordID>
- <Correlation/>
- <Execution ProcessID='24876' ThreadID='133888'/>
- <Channel>Security</Channel>
- <Computer>s17751123</Computer>
- <Security/>
- </System>
- <EventData>
- <Data Name='SubjectUserSid'>S-1-0-0</Data>
- <Data Name='SubjectUserName'>-</Data>
- <Data Name='SubjectDomainName'>-</Data>
- <Data Name='SubjectlogonId'>0x0</Data>
- <Data Name='TargetUserSid'>S-1-0-0</Data>
- <Data Name='TargetUserName'>aaron</Data>
- <Data Name='TargetDomainName'>\aaron</Data>
- <Data Name='Status'>0xc000006d</Data>
- <Data Name='FailureReason'>%%2313</Data>
- <Data Name='SubStatus'>0xc0000064</Data>
- <Data Name='logonType'>3</Data>
- <Data Name='logonProcessName'>NtLmSsp </Data>
- <Data Name='AuthenticationPackageName'>NTLM</Data>
- <Data Name='WorkstationName'>SSAWSTS01</Data>
- <Data Name='TransmittedServices'>-</Data>
- <Data Name='LmPackageName'>-</Data>
- <Data Name='KeyLength'>0</Data>
- <Data Name='ProcessId'>0x0</Data>
- <Data Name='ProcessName'>-</Data>
- <Data Name='IpAddress'>-</Data>
- <Data Name='IpPort'>-</Data>
- </EventData>
- </Event>
更新:
检查我的防火墙日志后,我认为这些4625事件无论如何都与Rdp无关,但可能是SSH或任何其他我不熟悉的尝试
即使启用了NLA,也会在此处记录失败的RDP尝试的IP地址(无需调整)(在Server 2012 R2上测试,不确定其他版本)
应用程序和服务日志>
微软Windows的RemoteDesktopServices-RdpCoreTS /运营
(事件ID 140)
记录的文本示例:
A connection from the client computer with an IP address of
108.166.xxx.xxx Failed because the user name or password is not correct.
XML:
- - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- - <System>
- <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="{1139C61B-B549-4251-8ED3-27250A1EDEC8}" />
- <EventID>140</EventID>
- <Version>0</Version>
- <Level>3</Level>
- <Task>4</Task>
- <Opcode>14</Opcode>
- <Keywords>0x4000000000000000</Keywords>
- <TimeCreated SystemTime="2016-11-13T11:52:25.314996400Z" />
- <EventRecordID>1683867</EventRecordID>
- <Correlation ActivityID="{F4204608-FB58-4924-A3D9-B8A1B0870000}" />
- <Execution ProcessID="2920" ThreadID="4104" />
- <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel>
- <Computer>SERVER</Computer>
- <Security UserID="S-1-5-20" />
- </System>
- - <EventData>
- <Data Name="IPString">108.166.xxx.xxx</Data>
- </EventData>
- </Event>
