Failed Type 3 Logons on domain workstation by Guest

Question

One workstation out of over 60 is showing these failed logons. Because they show up in our SIEM logs, they raise questions. It would be best if they didn't happen. No web service involved that I know of.

An account failed to log on.
Subject:
Security ID: NET\BackerSB
Account Name: BackerSB
Account Domain: NET
Logon ID: 0xBEE50

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: SB-BACKUP <<<< so a LOCAL computer "domain"

Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072

Process Information:
Caller Process ID: 0x1d4
Caller Process Name: C:\Windows\explorer.exe

Network Information:
Workstation Name: SB-BACKUP
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

How do I explain these?
How do I eliminate these?

Thanks!

Answer 1

Hi,

I faced same issue and fixed by,

• this issue happens when you have a folder with permission set to everyone
• when you try to open any file inside this folder, it will trigger the everyone account, then you will receive a Guest fail login on this machine.
• open CMD and type net view \127.0.0.1
• it will show you all shared folder on this machine
• now, go to all showed folder and write click to check permission
• if any folder has a everyone permission, changed to a specific person.
• restart the machine. done, you will not see this log again

Answer 2

Hello,

Thank you so much for your kindly reply.

It's hard to say what is causing this event to be generated with only this event. As per my research, guest event logon failures because of permissions on shared folders set to Everyone.

Similar discussion here:

https://social.technet.microsoft.com/Forums/en-US/a2ae4591-f6e9-4177-8985-f47cdced3dca/event-id-4625-null-sid-guest-account-currently-disabled?forum=winserverNAP

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hello,

Thank you so much for posting here.

The logon type 3 means "A user or computer logged on to this computer from the network".

According to the Failure Information, the reason is Account currently disabled.

0XC000006E: Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).

0xC0000072: User logon to account disabled by administrator

For more information, we could refer to:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

We know what the failed logon message is telling us. So that doesn't help so much.
The real question is:
What causes these events to occur?
The Guest account is Disabled so it's reasonable that Guest logons would be denied / would fail.
But, we have no idea how this one computer can be generating failed logons by Guest in the first place.
Thus the question.