Event Id 4625 without Source IP

windows-server-2008-r2 windows-server-2012-r2

Solution 1:

IP address for failed RDP attempts is logged here even with NLA enabled (no tweaks required) (tested on Server 2012 R2, not sure about other versions)

Applications and Services Logs > Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational (Event ID 140)

Logged text example:

A connection from the client computer with an IP address of 108.166.xxx.xxx failed because the user name or password is not correct.

XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="{1139C61B-B549-4251-8ED3-27250A1EDEC8}" /> 
  <EventID>140</EventID> 
  <Version>0</Version> 
  <Level>3</Level> 
  <Task>4</Task> 
  <Opcode>14</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-11-13T11:52:25.314996400Z" /> 
  <EventRecordID>1683867</EventRecordID> 
  <Correlation ActivityID="{F4204608-FB58-4924-A3D9-B8A1B0870000}" /> 
  <Execution ProcessID="2920" ThreadID="4104" /> 
  <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel> 
  <Computer>SERVER</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <EventData>
  <Data Name="IPString">108.166.xxx.xxx</Data> 
  </EventData>
  </Event>

Solution 2:

This is a known limitation with the 4625 event and RDP connections using TLS/SSL. You will need to use RDP encryption for the remote desktop server settings, or get a better IDS product.

Solution 3:

You should use the built-in Windows Firewall and its logging settings. The logs will tell you the IP addresses of all incoming connection attempts. Since you mentioned that all your servers are internet-facing, there really is no excuse for not using the Windows Firewall as a part of your defense in depth strategy. I would specifically recommend not turning off NLA (network-level authentication,) since many of the attacks on RDP in the past have historically been mitigated by the use of NLA and only affected RDP session hosts running classic RDP encryption only.

Windows Firewall Logging

Solution 4:

This Event is usually caused by a stale hidden credential. Try this from the system giving the error:

From a command prompt run: psexec -i -s -d cmd.exe
From the new cmd window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

Related

Escaping spaces in a remote path when using rsync over a remote SSH connection
What is the recommended method to prepare Red Hat/CentOS 7 templates?
Apache environment variables list?
iptables change destination IP without DNAT
Is there any way to point the root domain to a CNAME? [duplicate]
Periodically audit file permissions for mistaken leaks
2003 DC AD upgrade to 2008 on second server migration plan
Encrypt nginx log files
Openoffice headless on CentOS 7 / 8
auth log file shows wrong time?
How can I configure Postfix to relay emails addressed to particular domains through a separate SMTP relay [duplicate]
How to (properly) back up a live QEMU/KVM VM?