I few days ago I noticed that account Administrator is locked-out few times and the source is machine called Windows7 or FreeRDP. Very suspicious, at first domain Administrator is not in use, and second the name of the machine. I have checked the security logs on the domain controllers but everything you can find there is that the Caller Computer name was FreeRDP or Windows7 and nothing more.
In order to find easily the real source I have enebled the debug logging for the Netlogon service. The steps for that:
- Open a Command Prompt window (administrative Command Prompt window for Windows Server 2008 and later versions).
- Type the following command, and then press Enter:
Nltest /DBFlag:2080FFFF
- It’s typically not necessary to stop and restart the Netlogon service for Windows 2000 Server/Professional or later operating systems to enable Netlogon logging. Netlogon-related activity is logged to %windir%\debug\netlogon.log. Verify new writes to this log in order to determine whether a restart of the Netlogon service is necessary. If you have to restart the service, open a Command Prompt window (administrative Command Prompt window for Windows Server 2008/Windows Vista and later versions of the operating system), and then run the following commands:
net stop netlogon
net start netlogon
And if you wan to disable it later on:
To disable Netlogon logging:
- Open a Command Prompt window (administrative Command Prompt window for Windows Server 2008 and higher).
- Type the following command, and then press Enter:
Nltest /DBFlag:0x0
- It’s typically not necessary to stop and restart the Netlogon service for Windows 2000 Server/Professional or later versions of the operating system to disable Netlogon logging. Netlogon-related activity is logged to %windir%\debug\netlogon.log. Verify that no new information is being written to this log in order to determine whether a restart of the Netlogon service is necessary. If you have to restart the service, then open a Command Prompt window (administrative Command Prompt window for Windows Server 2008/Windows Vista and later versions of the operating system), and then run the following commands:
net stop netlogon
net start netlogon
More detail about Netlogon here
And few minutes later I got the information I needed in the log file C:\Windows\debug\netlogon.log in this format:
05/24 11:09:52 [LOGON] DOMAINNAME: NlPickDomainWithAccount: scan: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0 05/24 11:09:52 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\scan from Windows7 (via DEV01) Returns 0xC0000064 05/24 11:09:54 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\scan from Windows7 (via DEV01) Entered 05/24 11:09:54 [LOGON] DOMAINNAME: NlPickDomainWithAccount: scan: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0 05/24 11:09:54 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\scan from Windows7 (via DEV01) Returns 0xC0000064 05/24 11:09:55 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\scan from Windows7 (via DEV01) Entered 05/24 11:09:55 [LOGON] DOMAINNAME: NlPickDomainWithAccount: scan: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0 05/24 11:09:55 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\scan from Windows7 (via DEV01) Returns 0xC0000064 05/24 11:09:56 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\ricoh from Windows7 (via DEV01) Entered 05/24 11:09:56 [LOGON] DOMAINNAME: NlPickDomainWithAccount: ricoh: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0 05/24 11:09:56 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\ricoh from Windows7 (via DEV01) Returns 0xC0000064 05/24 11:09:57 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\ricoh from Windows7 (via DEV01) Entered 05/24 11:09:57 [LOGON] DOMAINNAME: NlPickDomainWithAccount: ricoh: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0 05/24 11:09:57 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\ricoh from Windows7 (via DEV01) Returns 0xC0000064 05/24 11:09:58 [LOGON] DOMAINNAME: SamLogon: Transitive Network logon of (null)\shipping2 from Windows7 (via DEV01) Entered
In my case, a DEV machine with enabled NTLM authentication was exposed directly to Internet and someone tried to connect/hack to it.
hi,
Hello,
I would interpret the event
The DEV01 computer is the domain controller name or the name of the affected computer that is being attacked by the “windows7”?
DOMAINNAME: SamLogon: Transitive Network logon of (null) \ shipping2 from Windows7 (via DEV01) Entered
Hi,
DEV01 is the name of attacked machine in this example. The domain name is replaced with ‘DOMAINNAME’ and this log is from the active node of domain.
Thank you so much for this…it did the trick. I was struggling to find where this was coming from. We located a server that had 3389 open and once we shut it down, no more bad login attempts and the account lock outs stopped.