Terminal Server Security

Posted by robd on December 01, 2014
powershell

Today a client noticed several thousand failed secuity attempts on their Terminal Server:

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc0000064

Process Information:
	Caller Process ID:	0x5f8
	Caller Process Name:	C:\Windows\System32\winlogon.exe

Network Information:
	Workstation Name:	SERVER01
	Source Network Address:	124.166.240.111
	Source Port:		56272

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-

 

So after filtering the Event 4625 in event viewer I found I couldnt export the Source Network Address. So came up with this handy powershell script to export the IP to a csv:

$DT = [DateTime]::Now.AddDays(-1)
$logName = '{0}{1}_security4625_log_{2}.csv' -f "c:\temp\",
 $DT.tostring("dd-MM-yyyy"), $env:Computername
 
Get-EventLog -LogName 'Security' `
 -InstanceId 4625 `
 -After $DT |
 Select-Object @{
  Name='TargetUserName'
  Expression={$_.ReplacementStrings[5]}
 },
 @{
  Name='WorkstationName'
  Expression={$_.ReplacementStrings[1] -replace '\$$'}
 },
 @{
  Name='IpAddress'
  Expression={$_.ReplacementStrings[-2]}
 },
 @{
  Name='IpPort'
  Expression={$_.ReplacementStrings[-5]}
 } |
 Export-Csv -Path $logName

 

Tags: , , ,

1 Comment to Terminal Server Security

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copy Protected by Chetan's WP-Copyprotect.