Our Windows 2008R2 security log is full of failed login attempt events 4776, but we're unable to block them because no IP address is provided for the network source of these attempts - like it was in Windows 2003 Server. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 9/26/2012 2:32:27 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: MAIL.XYZ.COM Description: The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: admin Source Workstation: MAIL Error Code: 0xc0000064 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4776</EventID> <Version>0</Version> <Level>0</Level> <Task>14336</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-09-26T06:32:27.570062500Z" /> <EventRecordID>18318</EventRecordID> <Correlation /> <Execution ProcessID="452" ThreadID="540" /> <Channel>Security</Channel> <Computer>MAIL.XYZ.COM</Computer> <Security /> </System> <EventData> <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data> <Data Name="TargetUserName">admin</Data> <Data Name="Workstation">MAIL</Data> <Data Name="Status">0xc0000064</Data> </EventData> </Event>

Looks like it came from computer named MAIL So maybe internal? 0xc0000064 = user name does not exist (admin) Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

The user names are all different in these log events, and they constantly change, which may indicate a hacking attempt. However, in Windows 2003 these type of events looked like this, showing the IP address the request came from, so we could trace and block them -- but not in Windows 2008: Logon Failure: Reason: Unknown user name or bad password User Name: s Domain: MAIL Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MAIL Caller User Name: MAIL$ Caller Domain: XXXX Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3728 Transited Services: - Source Network Address: 202.67.170.186 Source Port: 57365

That looks like a 529 failure audit. Do you find event 4625 Also note; http://support.microsoft.com/default.aspx?scid=kb;en-us;2157973 Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

No. Like I said - the log is FULL of events 4776, and neither the Windows 2008R2 system, or the link to "EventLog Online Help" can tell me where these failing login attempts are coming from. This is so disappointing - a simple, previously existing and extremely helpful functionality (source network address) appears to have been lost in the next version of Microsoft OS product ???...

It looks like by default there are nine basic security audit policies. This article will guide in enabling 53 more specific events which will hopefully give you the desired result. http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I keep reading it, but not finding anything related to what information is captured for failed login events...

I'd start with at least this one. http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx Shown is local sec pol. Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.