A fairly new MS Windows Server 2019 VM installation is logging over a hundred Security Log Audit Failures a day with Event ID 4625.
RDP for the server is enabled only for a single trusted WAN source IP through the Draytek Firewall.
The server hosts 2 local applications and an on-premises Exchange Server. The PDC is another VM on the same physical bare metal Hyper-V Core host.
The Account Names, Source IP addresses and Workstation names appear to be quite random, though the workstation name “workstation” appears quite frequently.
An example log entry is:
An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Hp Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: workstation Source Network Address: 220.127.116.11 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted.
So my immediate thoughts are:
- I thought NTLM was disabled by default since Win Server 2008 onwards?
- Would I be right in thinking it isn’t in this case?
- Should I disable it? If so where?
- Could disabling it break anything? If the applications break, that’s fine if it makes the server more secure. I can get the application developers to beef up the apps. I’m worried about losing remote admin access through TeamViewer and the Exchange mailserver breaking.
I’m kinda shitting myself right now as we’ve only just installed this server to replace an old Windows Server 2011 that got hit by ransomware.
I’ve heard about using programs like IPBan, but that would only seem to make sense if the attempts were from the same IP. In this case they seem to be from random addresses.
Would I be right in thinking having the necessary ports open for the Exchange Server (80,443,587) is the only reason these attempts from WAN IPs are even reaching the server? Is there anything I can do to prevent these log-on attempts from reaching the server or is this a level of intrusion to be expected when running an Exchange server?