Tons of 4625 and 4634 events

Dmitry 5 Reputation points
2024-04-02T08:09:23.94+00:00

In our organisation (about 500 active users) we have 2 AD domain controllers both running windows server 2012r2. theres a file server on hyper-vm running on windows server 2022.

yesterday we started receiving complaints that file server became unusable due to the error "Additional connections to this remote computer are currently not possible because the number of connections has reached its limit." but the server's connections limit is set to about 16000

User's image

after sometime i noticed on main dc weird behavior in Event Viewer __ in section " windows journals > security". a few days ago it started littering with 4625 and 4634 events. some of these are successful, some are not. in feild "TargetUserName" it sometimes shows various our AD users, pc names followed by "$" sign, also sometimes it shows generic usernames such as "JOHN". LogonProcessName shows Kerberos and NtLmSsp. Heres a sample of a logon rejection 4625 event: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event__">- <System>

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

  <EventID>4625</EventID>

  <Version>0</Version>

  <Level>0</Level>

  <Task>12544</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8010000000000000</Keywords>

  <TimeCreated SystemTime="2024-04-02T07:56:47.050749400Z" />

  <EventRecordID>232578365</EventRecordID>

  <Correlation />

  <Execution ProcessID="664" ThreadID="3024" />

  <Channel>Security</Channel>

  <Computer>alpha.economy.lan</Computer>

  <Security />

  </System>

  • <EventData>

  <Data Name="SubjectUserSid">S-1-0-0</Data>

  <Data Name="SubjectUserName">-</Data>

  <Data Name="SubjectDomainName">-</Data>

  <Data Name="SubjectLogonId">0x0</Data>

  <Data Name="TargetUserSid">S-1-0-0</Data>

  <Data Name="TargetUserName">HERRAJESWEB</Data>

  <Data Name="TargetDomainName" />

  <Data Name="Status">0xc000006d</Data>

  <Data Name="FailureReason">%%2313</Data>

  <Data Name="SubStatus">0xc0000064</Data>

  <Data Name="LogonType">3</Data>

  <Data Name="LogonProcessName">NtLmSsp</Data>

  <Data Name="AuthenticationPackageName">NTLM</Data>

  <Data Name="WorkstationName" />

  <Data Name="TransmittedServices">-</Data>

  <Data Name="LmPackageName">-</Data>

  <Data Name="KeyLength">0</Data>

  <Data Name="ProcessId">0x0</Data>

  <Data Name="ProcessName">-</Data>

  <Data Name="IpAddress">-</Data>

  <Data Name="IpPort">-</Data>

  </EventData>

  </Event>

Heres an example of successful 4634 event:

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

  <EventID>4634</EventID>

  <Version>0</Version>

  <Level>0</Level>

  <Task>12545</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8020000000000000</Keywords>

  <TimeCreated SystemTime="2024-04-02T07:56:46.832004600Z" />

  <EventRecordID>232578364</EventRecordID>

  <Correlation />

  <Execution ProcessID="664" ThreadID="3488" />

  <Channel>Security</Channel>

  <Computer>alpha.economy.lan</Computer>

  <Security />

  </System>

  • <EventData>

  <Data Name="TargetUserSid">S-1-5-21-920013730-1599901524-189505704-2641</Data>

  <Data Name="TargetUserName">PRIEMDIR$</Data>

  <Data Name="TargetDomainName">ECONOMY</Data>

  <Data Name="TargetLogonId">0x12620a7</Data>

  <Data Name="LogonType">3</Data>

  </EventData>

  </Event>

We tried catching a pc that might be the couse, but failed. it seems to be within the server room. is there anн possible way to track it down? thanks in advance for any possible kind of assistance in that regard

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,534 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. S.Sengupta 15,511 Reputation points MVP
    2024-04-03T01:45:13.8533333+00:00

    If your server is a domain controller, it authenticates login attempts for other machines on the network. This means you'll see a high-volume of 4624/4634 events for various user accounts.

    If a user's connection drops and automatically reconnects, you'll see a corresponding 4634 (logoff) and 4624 (logon) event pair.

    These events are generally informational and not a security concern.

    0 comments
  2. Yanhong Liu 2,635 Reputation points Microsoft Vendor
    2024-04-03T07:45:14.1933333+00:00

    Hello,

    Based on your description, even if the server's connection limit is set to about 16000, the server may reach its limit due to other factors (such as network bandwidth, server resources, or the number of simultaneous connections from a single user). You may want to check these factors and possibly increase server resources or limit the number of simultaneous connections from a single user if necessary.

     

    As mentioned before, it is normal for a domain controller to see a large number of 4624/4634 events as it authenticates login attempts from other computers on the network. However, if you see a large number of 4625 events (failed login attempts), it may indicate a potential security issue, such as a brute force attack. You may want to further investigate these failed login attempts, and you can use Microsoft Advanced Threat Analytics (ATA) to help identify the source of these failed login attempts. Additionally, consider implementing an account lockout policy to prevent brute force attacks.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.