Hi,
I'm experiencing hundreds of event id 4625 in my log. They're coming from different IP's so blocking individual addresses won't work. I have RDP blocked on a firewall. Is there a way to tell what destination port they're trying to connect to? the info below only lists the source port. what other ports would use winlogon.exe if RDP is blocked?
Any help would be appreciated.
An account failed to log on.Subject:
Security ID: SYSTEM
Account Name: XXXXXX$
Account Domain:WORKGROUP
Logon ID: 0x3e7
Logon Type:10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: owner
Account Domain:XXXXXXX
Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID:0xfe0
Caller Process Name:C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name:XXXXXX
Source Network Address:187.168.152.8
Source Port: 20649
Detailed Authentication Information:
Logon Process:User32
Authentication Package:Negotiate
Transited Services:-
Package Name (NTLM only):-
Key Length: 0