4625(F):帐户登录失败。4625(F): An account failed to log on.

适用于Applies to

  • Windows 10Windows 10
  • Windows Server 2016Windows Server 2016
Event 4625 illustration

子类别: 审核帐户锁定审核登录Subcategories: Audit Account Lockout and Audit Logon

事件说明:Event Description:

如果在帐户已被锁定时尝试登录账户失败,则生成此事件。它还生成登录尝试,在此之后帐户被锁定。This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.

它在尝试登录的计算机上生成(例如,如果在用户的工作站上尝试登录,则在此工作站上记录时间)。It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.

此事件在域控制器、成员服务器和工作站上生成。This event generates on domain controllers, member servers, and workstations.

备注

有关建议,请参阅此事件的安全监控建议For recommendations, see Security Monitoring Recommendations for this event.


事件 XML:Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4625</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>12546</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8010000000000000</Keywords> 
 <TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" /> 
 <EventRecordID>229977</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="516" ThreadID="3240" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="SubjectUserSid">S-1-5-18</Data> 
 <Data Name="SubjectUserName">DC01$</Data> 
 <Data Name="SubjectDomainName">CONTOSO</Data> 
 <Data Name="SubjectLogonId">0x3e7</Data> 
 <Data Name="TargetUserSid">S-1-0-0</Data> 
 <Data Name="TargetUserName">Auditor</Data> 
 <Data Name="TargetDomainName">CONTOSO</Data> 
 <Data Name="Status">0xc0000234</Data> 
 <Data Name="FailureReason">%%2307</Data> 
 <Data Name="SubStatus">0x0</Data> 
 <Data Name="LogonType">2</Data> 
 <Data Name="LogonProcessName">User32</Data> 
 <Data Name="AuthenticationPackageName">Negotiate</Data> 
 <Data Name="WorkstationName">DC01</Data> 
 <Data Name="TransmittedServices">-</Data> 
 <Data Name="LmPackageName">-</Data> 
 <Data Name="KeyLength">0</Data> 
 <Data Name="ProcessId">0x1bc</Data> 
 <Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data> 
 <Data Name="IpAddress">127.0.0.1</Data> 
 <Data Name="IpPort">0</Data> 
 </EventData>
 </Event>

所需的服务器角色: 无。 Required Server Roles: None.

操作系统的最低版本: Windows Server 2008、Windows Vista。Minimum OS Version: Windows Server 2008, Windows Vista.

事件版本: 0。Event Versions: 0.

字段描述:Field Descriptions:

主题:Subject:

  • 安全性 ID [Type = SID] 报告登录失败信息的帐户的 SID。Security ID [Type = SID]: SID of account that reported information about logon failure. 事件查看器会自动尝试解析 SID 并显示帐户名。Event Viewer automatically tries to resolve SIDs and show the account name. 如果无法解析 SID,将在事件中看到源数据。If the SID cannot be resolved, you will see the source data in the event.

    备注

    安全标识符 (SID) 是用于识别受信者(安全主体)的可变长度的唯一值。A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). 每个帐户都有一个由权威机构(例如 Active Directory 域控制器)颁发并存储在安全性数据库中的唯一 SID。Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. 每次用户登录时,系统都会从数据库中检索该用户的 SID,并将其放在该用户的访问令牌中。Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. 系统使用访问令牌中的 SID 来标识所有后续与 Windows 安全的交互的用户。The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. SID 用作用户或组的唯一标识符后,不能再次用于识别其他用户或组。When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. 有关 SID 的更多信息,参见安全标识符For more information about SIDs, see Security identifiers.

  • 帐户名称 [Type = UnicodeString] 报告登录失败信息的帐户的名称。Account Name [Type = UnicodeString]: the name of the account that reported information about logon failure.

  • 帐户域 [Type = UnicodeString] 使用者的域或计算机名称。Account Domain [Type = UnicodeString]: subject's domain or computer name. 下面是一些格式示例:Here are some examples of formats:

    • 域 NETBIOS 名称示例: CONTOSODomain NETBIOS name example: CONTOSO

    • 小写完整域名: contoso.localLowercase full domain name: contoso.local

    • 大写完整域名:CONTOSO.LOCALUppercase full domain name: CONTOSO.LOCAL

    • 对于某些众所周知的安全主体,例如 LOCAL SERVICE 或 ANONYMOUS LOGON,此字段的值为 “NT AUTHORITY”。For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

    • 对于本地用户帐户,此字段将包含此帐户所属的计算机或设备的名称,例如:“Win81”。For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

  • 登录类型 [Type = UInt32] 执行的登录类型。Logon Type [Type = UInt32]: the type of logon that was performed. “表 11。“Table 11. Windows 登录类型”包含此字段的可能值列表。Windows Logon Types” contains the list of possible values for this field.

    表 11:Windows 登录类型Table 11: Windows Logon Types

    登录类型Logon Type 登录标题Logon Title 描述Description
    22 交互Interactive 登录到此计算机的用户。A user logged on to this computer.
    33 网络Network 从网络登录到此计算机的用户或计算机。A user or computer logged on to this computer from the network.
    44 批处理Batch 批处理登录类型由批处理服务器使用,其中进程可以代表用户执行,而无需用户直接干预。Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
    55 服务Service 服务控制管理器已启动服务。A service was started by the Service Control Manager.
    77 解除锁定Unlock 已解锁此工作站。This workstation was unlocked.
    88 NetworkCleartextNetworkCleartext 从网络登录到此计算机的用户。A user logged on to this computer from the network. 用户的密码以未经过哈希处理的形式传递给验证包。The user's password was passed to the authentication package in its unhashed form. 内置的身份验证将所有哈希凭证打包,然后再通过网络发送它们。The built-in authentication packages all hash credentials before sending them across the network. 凭据不会以纯文本(也称为明文)形式遍历网络。The credentials do not traverse the network in plaintext (also called cleartext).
    99 NewCredentialsNewCredentials 调用方克隆了其当前令牌并为出站连接指定了新凭据。A caller cloned its current token and specified new credentials for outbound connections. 新登录会话具有相同的本地标识,但对其他网络连接使用不同的凭据。The new logon session has the same local identity, but uses different credentials for other network connections.
    1010 RemoteInteractiveRemoteInteractive 使用终端服务或远程桌面远程登录到此计算机的用户。A user logged on to this computer remotely using Terminal Services or Remote Desktop.
    1111 CachedInteractiveCachedInteractive 使用存储在计算机上的本地网络凭据登录到此计算机的用户。A user logged on to this computer with network credentials that were stored locally on the computer. 未联系域控制器以验证凭据。The domain controller was not contacted to verify the credentials.

登录失败的帐户:Account For Which Logon Failed:

  • 安全性 ID [Type = SID] 登录尝试中指定帐户的 SID。Security ID [Type = SID]: SID of the account that was specified in the logon attempt. 事件查看器会自动尝试解析 SID 并显示帐户名。Event Viewer automatically tries to resolve SIDs and show the account name. 如果无法解析 SID,将在事件中看到源数据。If the SID cannot be resolved, you will see the source data in the event.

    备注

    安全标识符 (SID) 是用于识别受信者(安全主体)的可变长度的唯一值。A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). 每个帐户都有一个由权威机构(例如 Active Directory 域控制器)颁发并存储在安全性数据库中的唯一 SID。Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. 每次用户登录时,系统都会从数据库中检索该用户的 SID,并将其放在该用户的访问令牌中。Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. 系统使用访问令牌中的 SID 来标识所有后续与 Windows 安全的交互的用户。The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. SID 用作用户或组的唯一标识符后,不能再次用于识别其他用户或组。When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. 有关 SID 的更多信息,参见安全标识符For more information about SIDs, see Security identifiers.

  • 账户名称 [Type = UnicodeString] 登录尝试中指定的帐户的名称。Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.

  • 帐户域 [Type = UnicodeString] 域或计算机名称。Account Domain [Type = UnicodeString]: domain or computer name. 下面是一些格式示例:Here are some examples of formats:

    • 域 NETBIOS 名称示例: CONTOSODomain NETBIOS name example: CONTOSO

    • 小写完整域名: contoso.localLowercase full domain name: contoso.local

    • 大写完整域名:CONTOSO.LOCALUppercase full domain name: CONTOSO.LOCAL

    • 对于某些众所周知的安全主体,例如 LOCAL SERVICE 或 ANONYMOUS LOGON,此字段的值为 “NT AUTHORITY”。For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

    • 对于本地用户帐户,此字段将包含此帐户所属的计算机或设备的名称,例如:“Win81”。For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

  • 登录 ID \ [Type = HexInt64 ] 十六进制值,可帮助您将此事件与可能包含相同登录 ID 的最新事件(例如,"4624:帐户已成功登录")相关联。Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

失败信息:Failure Information:

  • 失败原因 [Type = UnicodeString]:****状态字段值的文本说明。Failure Reason [Type = UnicodeString]: textual explanation of Status field value. 对于此事件,它通常具有“Account locked out”值。For this event, it typically has “Account locked out” value.

  • 状态 [Type = HexInt32] 登录失败的原因。Status [Type = HexInt32]: the reason why logon failed. 对于此事件,它通常具有“0xC0000234”值。For this event, it typically has “0xC0000234” value. 表 12 列出了最常见的状态代码。The most common status codes are listed in Table 12. Windows 登录状态代码。Windows logon status codes.

    表 12:Windows 登录状态代码。Table 12: Windows logon status codes.

    Status\Sub-Status CodeStatus\Sub-Status Code 描述Description
    0XC000005E0XC000005E 当前没有可用于服务登录请求的登录服务器。There are currently no logon servers available to service the logon request.
    0xC00000640xC0000064 用户使用拼写错误或错误用户帐户进行登录User logon with misspelled or bad user account
    0xC000006A0xC000006A 用户使用拼写错误或错误密码进行登陆User logon with misspelled or bad password
    0XC000006D0XC000006D 原因可能是用户名或身份验证信息错误The cause is either a bad username or authentication information
    0XC000006E0XC000006E 指示引用的用户名和身份验证信息有效,但某些用户帐户限制阻止了成功的身份验证(例如时间限制)。Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).
    0xC000006F0xC000006F 用户在授权时间之外登录User logon outside authorized hours
    0xC00000700xC0000070 用户从未经授权的工作站登录User logon from unauthorized workstation
    0xC00000710xC0000071 用户使用过期密码登录User logon with expired password
    0xC00000720xC0000072 用户登录到管理员已禁用的帐户User logon to account disabled by administrator
    0XC00000DC0XC00000DC 指示 Sam 服务器处于错误状态,无法执行所需操作。Indicates the Sam Server was in the wrong state to perform the desired operation.
    0XC00001330XC0000133 DC 和其他计算机之间的时钟完全不同步Clocks between DC and other computer too far out of sync
    0XC000015B0XC000015B 此计算机上尚未授予用户请求的登录类型(也称为登录权限The user has not been granted the requested logon type (also called the logon right) at this machine
    0XC000018C0XC000018C 登录请求失败,因为主域和受信任域之间的信任关系失败。The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
    0XC00001920XC0000192 尝试登录,但 Netlogon 服务未启动。An attempt was made to logon, but the Netlogon service was not started.
    0xC00001930xC0000193 用户使用过期帐户登录User logon with expired account
    0XC00002240XC0000224 用户需要在下次登录时更改密码User is required to change password at next logon
    0XC00002250XC0000225 很明显,这是 Windows 中的错误而非风险Evidently a bug in Windows and not a risk
    0xC00002340xC0000234 帐户已锁定的用户登录User logon with account locked
    0XC00002EE0XC00002EE 失败原因:登录时出错Failure Reason: An Error occurred during Logon
    0XC00004130XC0000413 登录失败:登录的计算机受身份验证防火墙保护。Logon Failure: The machine you are logging on to is protected by an authentication firewall. 不允许指定的帐户对计算机进行身份验证。The specified account is not allowed to authenticate to the machine.
    0x00x0 状态正常。Status OK.

备注

要查看其他状态或子状态代码的含义,还可以在 WindowsSDK 的窗口头文件 ntstatus.h 中检查状态代码。To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.

更多信息:More information: https://dev.windows.com/en-us/downloads

  • 子状态 [Type = HexInt32] 有关登录失败的其他信息。Sub Status [Type = HexInt32]: additional information about logon failure. 最常见的子状态代码列在“表 12。The most common substatus codes listed in the “Table 12. Windows 登录状态代码。”Windows logon status codes.”.

进程信息:Process Information:

  • 调用方进程 ID [Type = Pointer]:尝试登录的进程十六进制进程 ID。Caller Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon. 进程 ID (PID) 是操作系统用来唯一标识活动进程的数字。Process ID (PID) is a number used by the operating system to uniquely identify an active process. 例如,若要查看特定进程的 PID,可使用任务管理器(“详细信息”选项卡,PID 列):To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

    Task manager illustration

    如果将十六进制值转换为十进制,则可以将其与任务管理器中的值进行比较。If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

    还可以将此进程 ID 与其他事件中的进程 ID 相关联,例如 “4688:已创建新进程”Process Information\New Process IDYou can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process Information\New Process ID.

  • 调用方进程名称 [Type = UnicodeString] 进程的完整路径和可执行文件的名称。Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

网络信息:Network Information:

  • 工作站名称 [Type = UnicodeString] 从中执行登录尝试的计算机名。Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.

  • 源网络地址 [Type = UnicodeString] 执行登录尝试的计算机 IP 地址。Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was performed.

    • IPv6 地址或客户端 ::ffff:IPv4 地址。IPv6 address or ::ffff:IPv4 address of a client.

    • ::1 或 127.0.0.1 指本地主机。::1 or 127.0.0.1 means localhost.

  • 源端口 [Type = UnicodeString]:用于从远程计算机进行登录尝试的源端口。Source Port [Type = UnicodeString]: source port that was used for logon attempt from remote machine.

    • 0 用于交互式登录。0 for interactive logons.

详细身份验证信息:Detailed Authentication Information:

  • 登录进程 [Type = UnicodeString] 用于登录尝试的受信任登录进程的名称。Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the logon attempt. 有关详细信息,请参阅事件“4611:受信任的登录进程已向本地安全机构注册”描述。See event “4611: A trusted logon process has been registered with the Local Security Authority” description for more information.

  • 验证包 [Type = UnicodeString] 用于登录身份验证过程的验证包的名称。Authentication Package [Type = UnicodeString]: The name of the authentication package that was used for the logon authentication process. LSA 启动时加载的默认包位于“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig”注册表项中。Default packages loaded on LSA startup are located in “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. 其他包可以在运行时加载。Other packages can be loaded at runtime. 加载新包时,将记录“4610:本地安全机构已加载验证包”(通常用于 NTLM)或“4622:本地安全机构已加载安全包”(通常用于 Kerberos)事件,以指示已加载新包以及包名称。When a new package is loaded a “4610: An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. 最常见的验证包包括:The most common authentication packages are:

    • NTLM – NTLM 系列身份验证NTLM – NTLM-family Authentication

    • Kerberos – Kerberos 身份验证。Kerberos – Kerberos authentication.

    • Negotiate – 协商安全包在 Kerberos 和 NTLM 协议之间进行选择。.Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols. 协商选择 Kerberos,除非身份验证中涉及的某个系统无法使用它,或者调用应用程序没有提供足够的信息来使用 Kerberos。Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.

  • 已传输服务 [Type = UnicodeString] [Kerberos-only] 传输服务的列表。Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. 如果登录是 S4U(用户服务)登录过程的结果,则会填充传输的服务。Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U 是 Kerberos 协议的 Microsoft 扩展,允许应用程序服务代表用户获取 Kerberos 服务票证——最常见的方式是由前端网站代表用户访问内部资源。S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. 有关 S4U 的更多信息,请参阅For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx

  • 包名称(仅 NTLM) [Type = UnicodeString] 登录尝试期间使用的 LAN 管理器子包的名称(NTLM 系列协议名称)。Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager subpackage (NTLM-family protocol name) that was used during the logon attempt. 可能的值为:Possible values are:

    • “NTLM V1”“NTLM V1”

    • “NTLM V2”“NTLM V2”

    • “LM”“LM”

      仅当 “Authentication Package”=“NTLM” 时填充。Only populated if “Authentication Package” = “NTLM”.

  • 密钥长度 [Type = UInt32] NTLM 会话安全密钥的长度。Key Length [Type = UInt32]: the length of NTLM Session Security key. 通常,它的长度为 128 位或 56 位。Typically, it has a length of 128 bits or 56 bits. 如果 “Authentication Package”=“Kerberos”,则此参数始终为 0,因为它不适用于 Kerberos 协议。This parameter is always 0 if "Authentication Package" = "Kerberos", because it is not applicable for Kerberos protocol. 如果使用协商验证包协商 Kerberos,则此字段也将具有“0”值。This field will also have “0” value if Kerberos was negotiated using Negotiate authentication package.

安全监控建议Security Monitoring Recommendations

对于 4625 (F):帐户登录失败。For 4625(F): An account failed to log on.

  • 如果此事件中报告的进程具有预定义的“进程名称”,请监视“进程名称”不等于定义值的所有事件。If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with “Process Name” not equal to your defined value.

  • 可以监视“进程名称”是否不在标准文件夹(例如,不在 System32Program Files 中)或受限文件夹(例如,Temporary Internet Files)中。You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).

  • 如果进程名称中有预定义的禁用子字符串或单词列表(例如,“mimikatz”或 “cain.exe”),请在“进程名称”中检查这些子字符串。If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Process Name.”

  • 如果 Subject\Account Name 是服务帐户或用户帐户的名称,则调查是否允许(或预期)该帐户为Account For Which Logon Failed\Security ID 请求登录可能很有用。If Subject\Account Name is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for Account For Which Logon Failed\Security ID.

  • 要监视登录类型与使用其帐户之间是否不匹配(例如,如果域管理组的成员使用登录类型 4-Batch 或 5-Service),请在此事件中监视登录类型To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon Type 4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type in this event.

  • 如有高值域或本地帐户,则需要为其监视每个锁定,请使用与该帐户对应的“Subject\Security ID”监视所有 4625 事件。If you have a high-value domain or local account for which you need to monitor every lockout, monitor all 4625 events with the “Subject\Security ID” that corresponds to the account.

  • 建议监视本地帐户的所有 4625 事件,因为这些帐户通常不应被锁定。监视尤其适用于关键服务器、管理工作站和其他高价值资产。We recommend monitoring all 4625 events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.

  • 建议监视服务帐户的所有 4625 事件,因为不应锁定或阻止这些帐户正常工作。We recommend monitoring all 4625 events for service accounts, because these accounts should not be locked out or prevented from functioning. 监视尤其适用于关键服务器、管理工作站和其他高价值资产。Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.

  • 如果组织通过以下方式限制登录,则可以使用此事件进行相应的监视:If your organization restricts logons in the following ways, you can use this event to monitor accordingly:

    • 如果 “Account For Which Logon Failed \Security ID” 始终不能从特定的 Network Information\Workstation Name 登录。If the “Account For Which Logon Failed \Security ID” should never be used to log on from the specific Network Information\Workstation Name.

    • 如果是特定帐户(如服务帐户),则应只能从内部 IP 地址列表(或其他IP地址列表)中使用。If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). 在这种情况下,可以监视Network Information\Source Network Address,并将网络地址与 IP 地址列表进行比较。In this case, you can monitor for Network Information\Source Network Address and compare the network address with your list of IP addresses.

    • 如果组织中始终使用 NTLM 的特定版本。If a particular version of NTLM is always used in your organization. 在这种情况下,可以使用此事件监视包名称(仅 NTLM),例如查找包名称(仅 NTLM) 不等于 NTLM V2 的事件。In this case, you can use this event to monitor Package Name (NTLM only), for example, to find events where Package Name (NTLM only) does not equal NTLM V2.

    • 如果未在组织中使用 NTLM,或不应由特定帐户使用(New Logon\Security ID)。If NTLM is not used in your organization, or should not be used by a specific account (New Logon\Security ID). 在这种情况下,监视验证包为 NTLM 的所有事件。In this case, monitor for all events where Authentication Package is NTLM.

    • 如果验证包是 NTLM。If the Authentication Package is NTLM. 在这种情况下,监视密钥长度不等于 128,因为从 Windows 2000 开始的所有 Windows 操作系统都支持 128 位密钥长度。In this case, monitor for Key Length not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.

    • 如果登录进程不是来自受信任的登录进程列表。If Logon Process is not from a trusted logon processes list.

  • 使用下表中的字段和值监视所有事件:Monitor for all events with the fields and values in the following table:

    字段Field 要监视的值Value to monitor for
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0XC000005E – “当前没有可用于服务登录请求的登录服务器。”0XC000005E – “There are currently no logon servers available to service the logon request.”
    此问题通常不是安全问题,但也可能是基础设施或可用性问题。This issue is typically not a security issue, but it can be an infrastructure or availability issue.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0xC0000064 – “用户使用拼写错误或错误用户帐户进行登录”。0xC0000064 – “User logon with misspelled or bad user account”.
    尤其是如果连续发生多个此类事件,这可能是用户枚举攻击的迹象。Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0xC000006A – “用户使用拼写错误或错误密码进行登陆”,用于关键帐户或服务帐户。0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
    尤其要注意连续发生的一些此类事件。Especially watch for a number of such events in a row.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0XC000006D – “这是由于错误的用户名或验证信息导致的”,用于关键帐户或服务帐户。0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
    尤其要注意连续发生的一些此类事件。Especially watch for a number of such events in a row.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0xC000006F – “用户在授权时间之外登录。”0xC000006F – “User logon outside authorized hours”.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0xC0000070 – “用户从未经授权的工作站登录”。0xC0000070 – “User logon from unauthorized workstation”.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0xC0000072 – “用户登录到管理员已禁用的帐户”。0xC0000072 – “User logon to account disabled by administrator”.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0XC000015B – “用户尚未被授予此计算机上请求的登录类型(也称为登录权限)”。0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0XC0000192 – “尝试登录,但 Netlogon 服务未启动”。0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
    此问题通常不是安全问题,但也可能是基础设施或可用性问题。This issue is typically not a security issue but it can be an infrastructure or availability issue.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0xC0000193 – “用户使用过期帐户登录”。0xC0000193 – “User logon with expired account”.
    Failure Information\StatusFailure Information\Status or
    Failure Information\Sub StatusFailure Information\Sub Status
    0XC0000413 – “登录失败:登录的计算机受身份验证防火墙保护。0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. 不允许指定的帐户对计算机进行身份验证。”The specified account is not allowed to authenticate to the machine”.