Windows security event 4625

4625: An account failed to log on

On this page

• Description of this event
• Field level details
• Examples

This is a useful event because it documents each and every failed attempt to logon to the local computer regardless of logon type, location of the user or type of account.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in
4625

Subject:

Identifies the account that requested the logon — NOT the user who just attempted logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the system.

• Security ID
• Account Name
• Account Domain
• Logon ID

Logon Type:

This is a valuable piece of information as it tells you HOW the user just logged on:  See 4624 for a table of logon type codes.

Account For Which Logon Failed:

This identifies the user that attempted to logon and failed.

• Security ID:  The SID of the account that attempted to logon. This blank or NULL SID if a valid account was not identified — such as where the username specified does not correspond to a valid account logon name.
• Account Name: The account logon name specified in the logon attempt.
• Account Domain: The domain or — in the case of local accounts — computer name.

Failure Information:

The section explains why the logon failed.

• Failure Reason: textual explanation of logon failure.
• Status and Sub Status: Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.

Process Information:

• Caller Process ID: The process ID specified when the executable started as logged in 4688.
• Caller Process Name: Identifies the program executable that processed the logon. This is one of the trusted logon processes identified by 4611.

Network Information:

This section identifies where the user was when he logged on. Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers.

• Workstation Name: The computer name of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. Workstation may also not be filled in for some Kerberos logons since the Kerberos protocol doesn’t really care about the computer account in the case of user logons and therefore lacks any field for carrying workstation name in the ticket request message.
• Source Network Address: The IP address of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer’s actual IP address.  This field is also blank sometimes because Microsoft says «Not every code path in Windows Server 2003 is instrumented for IP address, so it’s not always filled out.»
• Source Port: Identifies the source TCP port of the logon request which seems useless since with most protocols’ source ports are random.

Detailed Authentication Information:

• Logon Process: (see 4611)
• Authentication Package: (see 4610 or 4622)
• Transited Services: This has to do with server applications that need to accept some other type of authentication from the client and then transition to Kerberos for accessing other resources on behalf of the client.  See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
• Package name: If this logon was authenticated via the NTLM protocol (instead of Kerberos for instance) this field tells you which version of NTLM was used.  See security option «Network security: LAN Manager authentication level»
• Key Length: Length of key protecting the «secure channel».  See security option «Domain Member: Require strong (Windows 2000 or later) session key».  If value is 0 this would indicate security option «Domain Member: Digitally encrypt secure channel data (when possible)» failed

Supercharger Free Edition

Картинка с сайта: www.ultimatewindowssecurity.com

Your entire Windows Event Collection environment on a single pane of glass.

Free.

Время на прочтение4 мин

Количество просмотров309K

Картинка с сайта: habr.com

Рэнди Франклин Смит (CISA, SSCP, Security MVP) имеет в своем арсенале очень полезный документ, рассказывающий о том, какие события (event IDs) обязательно должны отслеживаться в рамках обеспечения информационной безопасности Windows. В этом документе изложена крайне полезная информация, которая позволит Вам “выжать” максимум из штатной системы аудита. Мы подготовили перевод этого материала. Заинтересованных приглашаем под кат.

О том, как настроить аудит, мы уже обстоятельно писали в одном из наших постов. Но из всех event id, которые встречаются в журналах событий, необходимо остановить свое внимание на нескольких критических важных. На каких именно – решать каждому. Однако Рэнди Франклин Смит предлагает сосредоточить внимание на 10 важных событиях безопасности в Windows.

Контроллеры доменов

Event ID — (Категория) — Описание

1) 675 или 4771
(Аудит событий входа в систему)
Событие 675/4771 на контроллере домена указывает на неудачную попытку войти через Kerberos на рабочей станции с доменной учетной записью. Обычно причиной этого является несоответствующий пароль, но код ошибки указывает, почему именно аутентификация была неудачной. Таблица кодов ошибок Kerberos приведена ниже.

2) 676, или Failed 672 или 4768
(Аудит событий входа в систему)
Событие 676/4768 логгируется для других типов неудачной аутентификации. Таблица кодов Kerberos приведена ниже.
ВНИМАНИЕ: В Windows 2003 Server событие отказа записывается как 672 вместо 676.

3) 681 или Failed 680 или 4776
(Аудит событий входа в систему)
Событие 681/4776 на контроллере домена указывает на неудачную попытку входа в систему через
NTLM с доменной учетной записью. Код ошибки указывает, почему именно аутентификация была неудачной.
Коды ошибок NTLM приведены ниже.
ВНИМАНИЕ: В Windows 2003 Server событие отказа записывается как 680 вместо 681.

4) 642 или 4738
(Аудит управления учетными записями)
Событие 642/4738 указывает на изменения в указанной учетной записи, такие как сброс пароля или активация деактивированной до этого учетной записи. Описание события уточняется в соответствие с типом изменения.

5) 632 или 4728; 636 или 4732; 660 или 4756
(Аудит управления учетными записями)
Все три события указывают на то, что указанный пользователь был добавлен в определенную группу. Обозначены Глобальная (Global), Локальная (Local) и Общая (Universal) соответственно для каждого ID.

6) 624 или 4720
(Аудит управления учетными записями)
Была создана новая учетная запись пользователя

7) 644 или 4740
(Аудит управления учетными записями)
Учетная запись указанного пользователя была заблокирована после нескольких попыток входа

517 или 1102
(Аудит системных событий)
Указанный пользователь очистил журнал безопасности

Вход и выход из системы (Logon/Logoff)

Event Id — Описание

528 или 4624 — Успешный вход в систему
529 или 4625 — Отказ входа в систему – Неизвестное имя пользователя или неверный пароль
530 или 4625 Отказ входа в систему – Вход в систему не был осуществлен в течение обозначенного периода времени
531 или 4625 — Отказ входа в систему – Учетная запись временно деактивирована
532 или 4625 — Отказ входа в систему – Срок использования указанной учетной записи истек
533 или 4625 — Отказ входа в систему – Пользователю не разрешается осуществлять вход в систему на данном компьютере
534 или 4625 или 5461 — Отказ входа в систему – Пользователь не был разрешен запрашиваемый тип входа на данном компьютере
535 или 4625 — Отказ входа в систему – Срок действия пароля указанной учетной записи истек
539 или 4625 — Отказ входа в систему – Учетная запись заблокирована
540 или 4624 — Успешный сетевой вход в систему (Только Windows 2000, XP, 2003)

Типы входов в систему (Logon Types)

Тип входа в систему — Описание

2 — Интерактивный (вход с клавиатуры или экрана системы)
3 — Сетевой (например, подключение к общей папке на этом компьютере из любого места в сети или IIS вход — Никогда не заходил 528 на Windows Server 2000 и выше. См. событие 540)
4 — Пакет (batch) (например, запланированная задача)
5 — Служба (Запуск службы)
7 — Разблокировка (например, необслуживаемая рабочая станция с защищенным паролем скринсейвером)
8 — NetworkCleartext (Вход с полномочиями (credentials), отправленными в виде простого текст. Часто обозначает вход в IIS с “базовой аутентификацией”)
9 — NewCredentials
10 — RemoteInteractive (Терминальные службы, Удаленный рабочий стол или удаленный помощник)
11 — CachedInteractive (вход с кешированными доменными полномочиями, например, вход на рабочую станцию, которая находится не в сети)

Коды отказов Kerberos

Код ошибки — Причина

6 — Имя пользователя не существует
12 — Ограничение рабочей машины; ограничение времени входа в систему
18 — Учетная запись деактивирована, заблокирована или истек срок ее действия
23 — Истек срок действия пароля пользователя
24 — Предварительная аутентификация не удалась; обычно причиной является неверный пароль
32 — Истек срок действия заявки. Это нормальное событие, которое логгируется учетными записями компьютеров
37 — Время на рабочей машины давно не синхронизировалось со временем на контроллере домена

Коды ошибок NTLM

Код ошибки (десятичная система) — Код ошибки (16-ричная система) — Описание

3221225572 — C0000064 — Такого имени пользователя не существует
3221225578 — C000006A — Верное имя пользователя, но неверный пароль
3221226036 — C0000234 — Учетная запись пользователя заблокирована
3221225586 — C0000072 — Учетная запись деактивирована
3221225583 — C000006F — Пользователь пытается войти в систему вне обозначенного периода времени (рабочего времени)
3221225584 — C0000070 — Ограничение рабочей станции
3221225875 — C0000193 — Истек срок действия учетной записи
3221225585 — C0000071 — Истек срок действия пароля
3221226020 — C0000224 — Пользователь должен поменять пароль при следующем входе в систему

Еще раз продублируем ссылку на скачивание документа на сайте Рэнди Франклина Смита www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx. Нужно будет заполнить небольшую форму, чтобы получить к нему доступ.

P.S. Хотите полностью автоматизировать работу с журналами событий? Попробуйте новую версию NetWrix Event Log Manager 4.0, которая осуществляет сбор и архивирование журналов событий, строит отчеты и генерирует оповещения в режиме реального времени. Программа собирает данные с многочисленных компьютеров сети, предупреждает Вас о критических событиях и централизованно хранит данные обо всех событиях в сжатом формате для удобства анализа архивных данных журналов. Доступна бесплатная версия программы для 10 контроллеров доменов и 100 компьютеров.

WINDOWS

Understanding Windows security event logs is paramount for any organization that seeks to fortify its IT infrastructure. Among the plethora of events logged, IDs 4625 and 4771 are particularly vital in tracking failed authentication attempts. This article provides an in-depth analysis of these event IDs, exploring their significance in uncovering security threats and vulnerabilities through Windows Event Log analysis.

Understanding Windows Event ID 4625

Event ID 4625 indicates a failed logon attempt. This event is crucial for identifying unauthorized access attempts against Windows systems. It chronicles details about the failure, including the user account involved, the type of authentication, and the source of the logon request.

Key Components of Event ID 4625

When analyzing Event ID 4625, you will encounter several key fields within the event log:

• Subject: Contains information about the account that attempted the logon.

• Logon Type: Indicates the type of logon attempt; it can be interactive, network, batch, etc.

  • Common logon types include:

    • 2: Interactive logon

    • 3: Network logon

    • 10: Batch logon

• Status: Provides a status message detailing why the logon failed.

• Source Network Address: Shows the IP address from which the logon attempt was made.

Example of Event ID 4625 Log Entry

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     - 
    Logon ID:           0x0

Logon Type:             3
Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       Admin
    Account Domain:     DOMAIN

Failure Information:
    Failure Reason:      Unknown user name or bad password
    Status:             0xC000006D
    Sub Status:         0xC000006A

Network Information:
    Workstation Name:    WORKSTATION
    Source Network Address: 192.168.1.10
    Source Port:        12345

Process Information:
    Caller Process ID:   1234
    Caller Process Name: C:\Windows\System32\svchost.exe

Understanding Windows Event ID 4771

Event ID 4771 pertains to Kerberos pre-authentication failures. This event is crucial in environments that utilize Kerberos for authentication, particularly in domain environments.

Key Components of Event ID 4771

When delving into Event ID 4771, the following components are essential for accurately interpreting the event:

• Account Name: Indicates the account for which pre-authentication failed.

• Pre-Authentication Type: Specifies the mechanism used for authentication.

• Failure Code: Provides insights into why the authentication failed.

  • Common failure codes include:

    • 0x18: Pre-authentication failed

    • 0x18: Bad password

• Client Address: Shows the IP address from which the authentication request originated.

Example of Event ID 4771 Log Entry

Kerberos pre-authentication failed.

Account:
    Security ID:        DOMAIN\User
    Account Name:       User
    Account Domain:     DOMAIN

Client Address:     192.168.1.50
Service Name:       krbtgt/DOMAIN

Pre-Authentication Type: 
    0x0 (none)

Failure Code:       0x18

Importance of Monitoring Event IDs 4625 and 4771

Monitoring these event IDs is crucial for maintaining robust network security. Here’s why:

• Identifying Brute Force Attacks: A spike in Event ID 4625 occurrences can indicate a brute force attack on user accounts. Organizations should implement alerting mechanisms when a certain threshold is exceeded.

• Vulnerability Situations: Event ID 4771 may hint at compromised user credentials or configurations that need to be addressed, particularly focusing on accounts with pre-authentication failures.

• Security Audits and Compliance: Regular audits of these events are essential for compliance with security protocols and regulations. Documentation and analysis can help mitigate risks.

Best Practices for Mitigation

To protect against the risks highlighted by these event IDs, consider the following best practices:

• Implement Account Lockout Policies: Set policies that lock an account after a specific number of failed attempts to prevent unauthorized access.

• Monitor and Analyze Logs Regularly: Establish a routine for reviewing event logs, focusing on patterns of failure that may indicate potential attacks.

• Enable Multi-Factor Authentication (MFA): Enhance security by requiring additional verification for users, reducing the possibility of compromised credentials.

Conclusion

Windows Event IDs 4625 and 4771 serve as critical indicators within the Windows security log that aid in identifying failed authentication attempts and proactively managing security threats. By diligently monitoring these events, organizations can strengthen their security posture and reduce vulnerabilities associated with unauthorized access. Leveraging the information gathered from these logs can be instrumental in not just defending against current threats but also anticipating future risks in an ever-evolving cybersecurity landscape.

For comprehensive security management, consider integrating a Security Information and Event Management (SIEM) solution to gather insights and respond to anomalies in real-time. This proactive approach is vital to ensuring sustained compliance and security integrity.

Suggested Articles

Monitoring and analyzing periodically failed logon attempts is one of the essential processes to have a secure environment. Windows Event ID 4625 is a security event log generated by failed logon attempts. By studying and correlating these events, we can gain essential information regarding security threats like brute force attacks, unauthorized access, and more.

What is Event ID 4625?

The Windows security log captures failed logon attempts as event ID 4625. For example, Windows auditing system, which is the main system that generates this type of event, is one of the most important systems to identify and respond to security incidents. The event log provides all the details related to the failed logon attempt, such as the account name, workstation name, and the reason for the failure.

Analyzing Event ID 4625

• Step 1: Collecting Event Logs: To analyze Event ID 4625, you need to collect the relevant event logs from the Windows Security log. This can be done using the Event Viewer or through PowerShell commands.
• Step 2: Filtering and Sorting: Once the logs are collected, filter them to display only Event ID 4625. Sorting the logs by time, account name, or workstation name can help identify patterns or repeated failed attempts.
• Step 3: Identifying Patterns: Look for patterns in the failed logon attempts. Common patterns include:

• • Multiple failed attempts from the same account: This could indicate a brute force attack.

  • Failed attempts from multiple accounts: This might suggest a broader attack targeting multiple users.

  • Failed attempts from unusual locations: Logon attempts from unexpected IP addresses or geographic locations could indicate unauthorized access attempts.

• Step 4: Investigating the Source: Determine the source of the failed logon attempts. Check the workstation name and network information to identify the origin of the attempts. If the source is external, consider blocking the IP address or implementing additional security measures.

Common Causes

• Incorrect Username or Password: This is the most frequent reason. The user may have simply mistyped their credentials.
• Account Disabled or Locked: The user account might be disabled by the administrator or locked due to multiple failed login attempts.
• Account Expiration: The user’s account may have expired.
• Account Policy Restrictions: There might be restrictions on the account that prevent login from the specific source or time.
• Network Connectivity Issues: Problems with the network connection can also cause login failures.
• Malware or Compromised Credentials: In some cases, malware or compromised credentials could be the cause of failed login attempts.

Best Practices for Managing Event ID 4625

1. Regular Monitoring: Regularly monitor and review Event ID 4625 logs to detect and respond to potential security threats promptly.

2. Implement Account Lockout Policies: Configure account lockout policies to automatically lock accounts after a specified number of failed logon attempts.

3. Use Strong Passwords: Enforce strong password policies to reduce the risk of successful brute force attacks.

4. Enable Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of security, making it more difficult for attackers to gain access.

5. Educate Users: Educate users about the importance of strong passwords and recognizing phishing attempts to reduce the likelihood of compromised credentials.

Investigating Failed Login Attempts

When investigating Event ID 4625, it’s important to consider the following:

• Frequency: A single failed attempt is usually not a concern, but multiple attempts from the same source or for the same account should be investigated.
• Source: Determine the source of the login attempt (local, network, remote).
• Account: Identify the account that failed to log in.
• Time: Note the time of the failed attempt.
• Logon Type: Determine the type of logon attempt (interactive, network, service).
• Failure Reason: Examine the specific reason for the failure (incorrect password, account disabled, etc.).

Windows Event ID 4625 is a critical security event that provides valuable information about failed logon attempts. By understanding and analyzing this event, organizations can detect and respond to potential security threats more effectively. Regular monitoring, implementing best practices, and taking proactive measures can significantly enhance the security of Windows environments and protect against unauthorized access attempts.

Event ID 4625 is not just a log entry; it is a vital tool in the arsenal of IT professionals and security teams tasked with safeguarding their systems from malicious actors. By leveraging the insights gained from analyzing these events, organizations can fortify their defenses and maintain a robust security posture.

Relevant Article

• Windows Event ID 4740: Account Lockout Analysis

If you’ve ever managed a Windows system, you’ve likely come across Event ID 4625: “An account failed to log on.” It often pops up on Windows Server 2008 and Windows Vista systems, causing both confusion and concern. This event occurs when a logon attempt fails, and it’s logged on the targeted computer. Let’s dive into the nitty-gritty details to understand this better.

Картинка с сайта: bytebitebit.com

For instance, imagine someone in your network trying to access a shared folder but typing the wrong password. This would trigger Event ID 4625. One of the critical pieces of information in this event is the Security ID (SID), which identifies the user account that attempted the logon. If the SID can’t be resolved, it might show up as a NULL SID, indicating that the username doesn’t correspond to a valid account.

To troubleshoot this, we often use Task Scheduler. We go to the “Task Status” pane and filter for tasks running at specific times, especially around the time this event crops up regularly. By checking these logs, we can pinpoint which tasks might be causing the issue. So next time you see Event ID 4625, don’t panic. It’s a valuable alert that helps keep your network secure!

Event ID 4625 is a log entry in the Windows Security Log that indicates a failed logon attempt. Let’s break down what this event tells us.

When we see Event ID 4625, it typically means a logon request didn’t succeed. This can be due to various reasons such as wrong passwords or user accounts trying to access a network.

Here are the key details you might find:

Security ID: Shows which account reported the logon failure. Sometimes, it will display as NULL SID if no valid account was identified.

Logon Process: Indicates the specific process attempting the logon, like Winlogon.exe or Services.exe.

Authentication Package: Displays which package was used, such as NTLMSSP.

Transited Services: If the logon attempt used services, they might be listed here.

We can use a table to present more information clearly:

Authentication Information: This might show details like the Key Length used during the attempt, which is relevant for security analysis.

Category and Subcategory

These help in classifying the type of security event recorded. Microsoft-Windows-Security-Auditing is the category under which Event ID 4625 falls.

Our experience shows that frequently encountering Event ID 4625 might indicate an ongoing brute force attack. Always ensure your systems are up-to-date and secure. If it appears frequently at the same time each day, as mentioned in the search results, it might be caused by a scheduled task or an automated process.

We hope this breakdown is helpful in understanding and analyzing Event ID 4625. It’s crucial for maintaining security and identifying potential issues early.

Common Causes of Event ID 4625

Event ID 4625 often pops up when a logon attempt fails. It’s like our computer’s way of waving a red flag saying, “Hey, something went wrong here!” Let’s break down some common reasons:

Bad Password: We all forget passwords sometimes. Typing the wrong password is a frequent cause.

Unknown User Name: Sometimes, a user might use a name that doesn’t exist on the system.

Disabled Account: If the account is disabled, any logon attempt will fail.

Account Locked Out: If an account gets too many wrong password attempts, it can be locked out. We’ve all been there, right?

Account Currently Disabled: If administrators disable an account for any reason, it will throw event 4625.

Service Failures: Occasionally, services like Server service or Winlogon.exe on the local system might trigger this event when they attempt to authenticate a user.

Network Issues: Problems with network connectivity can also cause authentication failures.

These are some of the main culprits behind Event ID 4625. We’ve likely faced some of these ourselves, making it easier to spot when they happen again.

Troubleshooting Event ID 4625

Event ID 4625 in the Microsoft-Windows-Security-Auditing log indicates a failed logon attempt. This can occur due to various reasons, such as incorrect passwords, account lockouts, or policy conflicts. Let’s walk through some key steps.

Checking User Account Status

We start by examining the user account related to the failed logon.

• Account Lockouts: Is the account locked out? A locked account can’t log in until it’s unlocked by the system or admin.

• Logon ID: Check the Logon ID to identify the specific session of the attempt.

• Caller Process ID and Name: These fields help us find which processes attempted the logon. For instance, Winlogon.exe might point to login screen issues.

Reviewing Security Policies

Next, we review relevant security policies to ensure they’re correctly configured.

• Account Lockout Policy: Define how many failed attempts trigger a lockout and how long the lockout lasts.

• Audit Policy: Make sure it logs Account Logon and Logon events so we can track failures.

• Network Security: Evaluate protocols and settings in our network policies that might deny valid logons. The Source Network Address and Source Port fields in the event can reveal where the attempt came from.

Investigating Failed Logon Attempts

Finally, let’s investigate the failed logons.

• Failure Reason and Sub Status: These codes detail why the logon failed. For example, wrong password or expired account.

• Workstation Name: This shows which machine the attempt came from, helpful for isolating issues in a network.

• Source Network Address and Source Port: Useful in tracing attempts from unknown or unauthorized addresses.

• Active Directory and Domain Controller: In large networks, check AD for replication issues or policy conflicts affecting logons. The local computer might not sync properly with the domain.

Mitigating Security Risks Associated with Event ID 4625

Mitigating security risks related to Event ID 4625 requires a multi-layered approach. By focusing on password policies, implementing multi-factor authentication, and setting up monitoring systems, we can significantly reduce the risks posed by failed logon attempts.

Strengthening Password Policies

We need to make sure our passwords are tough to crack. Simple passwords make it easier for attackers to guess them.

Make sure to enforce a minimum password length, like 12 characters. Frequent password changes can discourage attackers. Remember, layers of security make our accounts more secure.

Implementing Multi-Factor Authentication

Adding an extra layer of security helps a ton. Multi-Factor Authentication (MFA) is one way to do this.

Integrating MFA across our services protects sensitive data, reducing the risk of a successful attack.

Monitoring and Alerting Systems

Monitoring systems help us detect weird activities fast. Real-time alerts allow us to react quickly to potential threats.

We can use tools like PowerShell to filter specific logs and quickly identify problems. Setting up a robust monitoring system helps us stay on top of our network security processes.