Windows Server 2012 R2 Audit Failure UNKNOWN USERS

Question

Hello,

I've searched around several places and couldn't find anyone else specifically with this same issue.

I've now installed the Windows Server 2012 R2 Evaluation, obtained directly from Microsoft's web site in ISO format, four times (this one is my fourth). It consists of a DC and two App Servers.

This time, the fourth, I've taken VM snapshots at various stages throughout the installation:

• Fresh install
• Fresh install - All Windows updates installed
• Fresh install - Hostname and Networking configured
• Fresh install - DC promoted (for the DC server only)
• Fresh install - Host joined to domain, additional Windows updates installed
• Fresh install - SQL Server, SSRS, and SSMS installed (for only the App 1 server)

Nothing else was installed other than the above. The firewall is ON for all servers.

On App 2, in ALL circumstances I see in the Windows Event Log numerous audit failures for unknown usernames.

These usernames include names like ADMINISTRATÖR, EILEEN, RYAN, HYPER, SALLY, SYMANTEC, GILLIAN, WEBADMIN, DONNA, etc. All have NULL SID's.

Has anyone else seen this? I really don't recall offhand if I've seen it on App 1, but I definitely didn't see it on the DC event log viewer. For the other three previous installations I've seen this (for the same installation of Win Server 2012 R2 evaluation - From the same media ISO file) it's been the same thing.

It couldn't be something trying to remote into the computer, could it? I would have to put Wireshark on it... But wouldn't the Event Viewer display the incoming IP address and not the current name of the host?

Thanks for the help!

Answer 1

Hello Gregg-3132,

Thank you for posting here.

So the app1 and app2 have the same numerous audit failures for unknown usernames, is that right?

We can configure audit policy on DC and servers.

GPO: Default Domain Policy

Legacy audit policy:

Computer Configuration\Windows settings\security settings\local policies\audit policy

On DC
Audit Account Logon Events – Failure
Audit Account Management - Success and Failure

On server
Audit Logon Events – Failure

Or use advanced audit policies (advanced audit policies will overwrite traditional audit policies by default):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration

On server
Logon/Logoff:
Audit Account Lockout – Failure
Audit Logon – Failure

On DC
Account Logon:
Audit Kerberos Authentication Service - Failure
Audit Credential Validation – Failure

Account Management:
Audit User Account Management – Success and Failure

We can run the following commands on the domain controller to force the refresh policy and check whether the related audit policy settings are enabled:

gpupdate /force
auditpol /get /category:*

If the Event ID 4625 reoccurs, we can check if there is Event ID 4776 (NTLM authentication) or Event ID 4771 (Kerberos authentication) on DC.

Meanwhile, I can see logon type is 3 above, it is network login. The most common is to access network shared folders or printers. IIS certification is also Type 3.

We can try to capture the netmon to see if there is any network access related to \servername\sharedfoldername in log.

About how to capture network monitor traffic:
1.Choose the version for your system to download, install it as typical: https://www.microsoft.com/en-US/download/details.aspx?id=4865
2.Run Network Monitor as administrator.

3.In the bottom left-hand, choose the NIC or NICs you want to capture.

4.Run command: ipconfig /flushdns to clean DNS cache, and nbtstat -RR to clean NETBIOS cache. Run klist purge command.
5.Then start capture when the issue reoccurs. After the necessary information is collected, click Stop.

6.Save the captured files.

Best Regards,
Daisy Zhou