but this is not an RDS server, just a standard 08r2 member server. I believe the RDWEB role needs to be installed (someone please chime in if I'm mistaken)
Jean-Paul Natola From: [email protected] Date: Wed, 8 Apr 2015 10:29:51 -0400 Subject: RE: [NTSysADM] Remote logon attempts 4625 To: [email protected] RDP Web access seems to be default.Try this from your web brower:http://SERVER_Name/rdweb You just made me realize a security weakness I hadn’t even considered before. I’ll have to check our Windows Internet facing Web servers. From: [email protected] [mailto:[email protected]] On Behalf Of J- P Sent: Tuesday, April 7, 2015 12:36 PM To: NT Subject: [NTSysADM] Remote logon attempts 4625 Hi all, Have an internet facing time-clock server , the network firewall has port 80 ONLY forwarding to the server, i'm starting to see hundreds of event 4625's coming from global IP addresses (China, Malaysia, russia etc,,) If the firewall only has port 80 forwarded, how are they attempting RDP (Logon Type 10) here is one such example; An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVER_Name$ Account Domain: DOMAIN_ NAME Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: administrator Account Domain: SERVER_Name Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x1424 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: SERVER_Name Source Network Address: 60.52.25.18 (Malaysia IP ) Source Port: 4750 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 Jean-Paul Natola
