服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 生成审计失败的新服务器2012 R2 Essentials事件4625空SIDlogin尝试
Intereting Posts
更快:通过SSH隧道的SFTP或FTP? 服务器在发出请求后小于0秒内返回“请求过期”,但至less600秒不应过期 大型networking的带宽共享和记帐::最佳实践 在Linux上的文件名长度限制? 意外的regsub的清漆行为 与Forest不同的域名 Robocopy复制文件夹,但不复制文件 是否有可能使用Windows FSRM或多个服务器上的多个分区的替代品? SQL数据库处于怀疑模式 我必须使用bind9在每个区域文件中写入NS条目吗? 使用OID监控HP服务器的FAN和温度 如何在IIS中发送响应头文件? 阻塞长度为4的UDP数据包 Windows Server 2008:当网卡有多个地址时,指定默认的IP地址 在同一机架中具有相同工作负载的服务器:好,坏或不重要?

生成审计失败的新服务器2012 R2 Essentials事件4625空SIDlogin尝试

我正在研究触发我们监控软件的login失败问题。

研究这个问题,我能find的唯一的其他信息正是我所看到的,在这里: 事件4625审计失败NULL SID失败的networkinglogin

试图跟踪这个,我使用过程监视器,并设置2个filter:
进程是lsass.exe
结果不成功。

然后,我将结果与失败的审计尝试进行匹配,并且似乎与stream程监视器中的这两行相对应,因为他们每次都在审计失败的确切时间显示: 

1:05:47.4932903 PM lsass.exe 896 RegOpenKey HKLM\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots NAME NOT FOUND Desired Access: Read 1:05:47.4941867 PM lsass.exe 896 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceAutoLockOnLogon NAME NOT FOUND Length: 144

我不知道我是否正在寻找正确的位置来追踪这个问题,或者现在该怎么做。 有什么build议么?

我是新的serverfault,所以我不能评论或回答上面的链接的问题,但会好奇,如果他/她看到了与进程监视器相同的结果。

这是一个事件查看器事件: 

 An account failed to log on. Subject: Security ID: SYSTEM Account Name: %domainControllerHostname%$ Account Domain: %NetBIOSDomainName% Logon ID: 0x3E7 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x380 Caller Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: %domainControllerHostname% Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Schannel Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.