我有一台 Windows 2008R2 服务器,它不断报告登录尝试失败。有人正在暴力破解此服务器,我不知道是从哪里来的。触发的 EvenID 是 4625 以下是审计条目的示例
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SEMINAR
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
NTLM 操作日志:
NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 756
Calling process name: C:\Windows\System32\svchost.exe
Calling process LUID: 0x3e4
Calling process user identity: EW2$
Calling process domain identity: ABC
Mechanism OID: (NULL)
该用户不是真实用户 网络信息完全丢失。我已将所有 NTLM 消息记录在事件日志中,但未获得任何其他信息。我对网络监视器不够熟悉,无法发现此 NTLM 尝试。
我尝试关闭公共和私人防火墙配置文件,但尝试仍然发生。
我还能做些什么来追踪这些登录尝试的来源?