We have RDS server setup on the Azure cloud and published few apps through RDWeb, all the remote user are being authenticated through AD it is on the same RDS server. I have been noticing the multiple logon attempt on my RDS server and following the are events logged on the Trend Micro Deep Security IPS. Strange thing is it is using RDS server loopback IPv6 address and hostname as the username to connect and I have observed events being logged every 9 minutes during working hours and non working hours it is hourly once.
Description: Multiple Windows Logon Failures Rank: 50 = Asset Value x Severity Value = 1 x 50 Severity: High (10) Groups: windows,authentication_failures, Program Name: Event: WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: *******: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: ******* Account Domain: SAAS Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: ******* Source Network Address: LOOPBACK IPV6 address Source Port: 56396 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted.
If anyone come across such situation please share your fix. Thanks in advance.