Event ID 4625 on Exchange Server 2019

mara2021 1,076 Reputation points
2023-11-10T23:30:58.0033333+00:00

We are getting lots of event id 4625 on both of our on-prem exchange 2019 hybrid servers. We are a hybrid deployment. Our user mailboxes are on exchange online. We use ADSync. Below is an example of the event id: How can I troubleshoot this? Thanks.

User's image

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,486 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,602 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,069 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,807 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Konstantinos Passadis 19,066 Reputation points MVP
    2023-11-10T23:55:06.3833333+00:00

    Hello @mara2021 !

    Based on the Documentaton this Event is a Security Audit Event

    The Status :

    Failure Information\Status orFailure Information\Sub Status 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts.Especially watch for a number of such events in a row

    shows that it has to do with Service Accounts , also we have NULL on the SID , probably a process

    Also the Logon Type 3:

    2 Interactive A user logged on to this computer.
    3 Network A user or computer logged on to this computer from the network.

    is showing Remote Attempts

    Are you restricting Public IP acces only to Azure - Office 365 URLs ? i suppose your Mail Flow is from 365 so no need to Public exposure other than Hybrid

    It could be malicious attempts

    Install all latest Hotfixes and Updates

    Are there left devices or Apps using SMTP ? Maybe stil trying to access Exchnage Servers ?

    Kinldy check these and come back with yur feedback !


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


  2. Shaofan Lv-MSFT 6,915 Reputation points Microsoft Vendor
    2023-11-14T07:32:17.7733333+00:00

    Hello @mara2021

    This looks to be related to Windows server. Did you check the last part of Konstantinos answer?

    In most cases, Windows logs logon type 3 when you access your computer from elsewhere on the network. You can see the details of time 4625 at this link.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    Event ID 4625 is related to failed login attempts in Windows. It is possible that someone is trying to brute force their way into your Exchange servers. Consider implementing additional security measures such as multi-factor authentication or IP restrictions. All users have strong passwords. Make sure that your servers are up-to-date with the latest security patches and updates.
    Regards

    Shaofan


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  


  3. Konstantinos Passadis 19,066 Reputation points MVP
    2023-11-29T23:23:19.71+00:00

    Hello @mara2021 !

    Thsi is an attempt to open a registry key that is not found

    The path suggests it's related to cryptographic parameters, specifically for ECC (Elliptic Curve Cryptography) and the NIST (National Institute of Standards and Technology) P-384 curve, which is a standard for secure cryptographic operations

    I dont see a problem here and how it is related to the Event id 4625 ?

    lsass.exe is a Windows system process responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

    Again , if Exchange is Publicly exposed check firewall logs for incoming and outgoing traffic

    Use nmap to Analyze traffic internally also

    Use Defender for Identity to get a clear picture i you have a serious problem that could get bigger

    Otherwise and if all patching is there , and all the above are clear you dont have to worry

    P.S Is there an Antivirus on the Server ? Please disable it or read Docuemntation for Exclusions on Exchnage !


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.