Diagnosing and Resolving Windows Server 2008 R2 4625 Logon Failures with Logon Type 8 (NetworkCleartext)


2 views

Windows Server 2008 R2 systems often experience excessive 4625 logon failure events with Logon Type 8 (NetworkCleartext). These events flood the Security logs while providing minimal actionable information, particularly when the Source Network Address field is empty. The sample event shows:

Logon Type: 8
Account Name: Administrator
Source Network Address: -
Caller Process: svchost.exe

Logon Type 8 indicates cleartext authentication attempts, typically originating from:

  • Legacy applications using NTLM authentication
  • Scheduled tasks configured with cleartext credentials
  • Service accounts with stored credentials
  • Network shares accessed via MapNetworkDrive API
  • SQL Server linked servers with basic authentication

To identify the source process:

# PowerShell script to correlate Process ID with services
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4625
} | Where-Object {
    $_.Properties[8].Value -eq 8 # Logon Type 8
} | ForEach-Object {
    $procId = $_.Properties[7].Value
    $service = Get-WmiObject Win32_Service | Where-Object ProcessId -eq $procId
    [PSCustomObject]@{
        Time = $_.TimeCreated
        ProcessID = $procId
        ServiceName = $service.Name
        DisplayName = $service.DisplayName
    }
}

1. Scheduled Tasks: Check tasks using cleartext credentials:

schtasks /query /fo LIST /v | findstr /i "RunAsUser Password"

2. Service Accounts: Audit services with stored credentials:

wmic service get name,startname,pathname | findstr /i "password"

3. NTLM Restrictions: Implement NTLM auditing:

# Group Policy setting
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" 
    -Name "AuditReceivingNTLMTraffic" -Value 2 -PropertyType DWORD

Enable detailed NTLM logging via registry:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmConfig" /v "AuditNTLMInDomain" /t REG_DWORD /d 7 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v "AuditReceivingNTLMTraffic" /t REG_DWORD /d 2 /f
  • Implement LSA Protection to prevent credential theft
  • Configure Restricted Admin mode for RDP
  • Disable NTLMv1 via Group Policy
  • Implement SMB signing requirements

For comprehensive monitoring, consider this PowerShell alert script:

# Real-time 4625 monitoring with threshold alerting
$query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4625)]]</Select>
  </Query>
</QueryList>
"@

Register-WmiEvent -Query $query -Action {
    param($event)
    $logonType = $event.Properties[8].Value
    if($logonType -eq 8) {
        # Implement custom alert logic here
    }
}

The repetitive 4625 events with Logon Type 8 indicate authentication attempts using clear-text credentials over the network. The missing Source Network Address suggests these are local system processes rather than remote attacks. Key characteristics from your event sample:

Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Caller Process: svchost.exe (PID 0x4d0)

Service accounts and scheduled tasks frequently trigger these events. Based on the SYSTEM context and svchost.exe caller, check these specific services:

# PowerShell command to identify services running under PID 0x4d0
Get-WmiObject Win32_Service | Where-Object { $_.ProcessId -eq 0x4d0 } | 
Select-Object Name, DisplayName, StartName

NetworkCleartext (Type 8) occurs when:

  • Services attempt NTLM authentication with local accounts
  • Legacy applications use plaintext credentials
  • Group Policy Preferences with stored credentials are processed
# Check scheduled tasks using cleartext credentials
schtasks /query /fo list /v | findstr /i "RunAsUser Password"

# Audit service account configurations
Get-CimInstance -ClassName Win32_Service | 
Where-Object { $_.StartName -match "Administrator" } |
Format-List Name, StartName, State, PathName

For persistent false positives:

# Example: Filter specific event IDs from Security log
wevtutil qe Security /q:"*[System[(EventID=4625)]]" /f:Text /rd:true /c:10

Implementation recommendations:

  • Replace local account dependencies with managed service accounts
  • Audit all services running under SYSTEM context
  • Review Task Scheduler for legacy credential usage

Here's an improved detection script that captures process details:

# PowerShell monitoring script
$filter = @{
    LogName = 'Security'
    ID = 4625
    StartTime = (Get-Date).AddHours(-24)
}

Get-WinEvent -FilterHashtable $filter | Where-Object {
    $_.Properties[8].Value -eq 8 -and 
    $_.Properties[11].Value -match 'Advapi'
} | ForEach-Object {
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        TargetUser = $_.Properties[5].Value
        ProcessID = $_.Properties[10].Value
        ProcessName = $_.Properties[11].Value
        CallerProcess = (Get-Process -Id $_.Properties[10].Value).Path
    }
}