Domain server error, event 4625

I just started working on this network. I see the error below few times an hour on domain server. The IP below 192.168.0.xx is ip of domain server.

Any help will be appreciated.

An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            administrator
      Account Domain:            DOMAIN

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xC000006D
      Sub Status:            0xC000006A

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      NEXPOSE
      Source Network Address:      192.168.0.xx
      Source Port:            49752

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
dreamer123456Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Von AndersonCommented:
More than likely the workstation (listed in Workstation Name: NEXPOSE) is doing a pass through authentication on an account named administrator.  An example of what could be happening would be user on another system is attempt to access a share on NEXPOSE using the administrator credential.  Kerberos authentication fails so NEXPOSE attempts to validate using NTLM.  It sends a request to the domain controller to validate the user (administrator).  The domain  also has an administrator account and the passwords don't match.

This can also happen if you are using a script to access machines using the local administrator account for the credential.  If the target workstaion is in the domain it will attempt to validate authentication against the domain.  The Domain administrator password is not the same  as that of the local workstation password generating the failed logon attempt

Other potential causes, Service accounts, scheduled tasks and  mapped drives that are using administrator as the credential
0
btanExec ConsultantCommented:
Actually I am thinking NEXPOSE is actually a scanning machine. The name is product name from a company called Rapid7. The product main feature is to scan remotely other machine for any gaps and it will also attempt account to try to login (e.g. NTLM) etc. Here is a configuration of the product to add in credential and NTLM hash for authentication to the target machine.
https://help.rapid7.com/nexpose/en-us/Files/NTLM_Hash.html

 In short, NEXPOSE may be trying to penetrate into the DC system.
- Look for any other logoff failure in the past few days or week if possible.
- Check with your past colleague if such symptom is new.
- Specifically, is such 4625 event common during any security scanning done by the IT or security team.
- Do trace down this machine. Check any domain user using it. See if it is domain (or standalone) machine.
- Check the firewall logs too on the source, and traffic to other internal IP addresses (other machine).
- Check if the machine is going into or from internet.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.