After a recent security incident involving our Windows Server 2008/2012 R2 environments, we've been vigilant about monitoring authentication failures. The ServerCloak IDDS tool helped block many malicious attempts, but we kept seeing Event ID 4625 logs with empty IP addresses:
<Data Name='IpAddress'>-</Data>
<Data Name='IpPort'>-</Data>Through firewall log analysis, we confirmed these weren't RDP attempts. The key indicators were:
- LogonType 3 (Network logon)
- NTLM authentication via NtLmSsp
- WorkstationName present but no IP
1. Local System Account Failures:
When services running as SYSTEM account fail authentication
2. SMB/NTLM Relay Attempts:
Attackers using intermediate systems to hide their origin
3. SSH or Other Protocol Attempts:
Non-RDP protocols might not properly log source IPs
1. Enable Detailed NTLM Logging:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v AuditReceivingNTLMTraffic /t REG_DWORD /d 2 /f2. Configure Windows Firewall to Log Dropped Packets:
netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
netsh advfirewall set currentprofile logging droppedconnections enable3. PowerShell Script to Correlate Events:
# Get 4625 events and filter those without IP
$events = Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625
} | Where-Object {
$_.Properties[19].Value -eq '-'
}
# Cross-reference with firewall logs
foreach ($event in $events) {
$time = $event.TimeCreated
$workstation = $event.Properties[11].Value
# Search firewall logs for matching timeframe
}Implement these GPO settings:
- Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options:
- "Network security: Restrict NTLM: Audit Incoming NTLM Traffic"
- "Microsoft network server: Digitally sign communications (always)"
Blank IPs in security events often indicate protocol-level attacks rather than direct brute force attempts. Combining enhanced logging with proper firewall configuration creates defensive layers that make attribution possible even when attackers try to hide their tracks.
When analyzing Windows security logs, Event ID 4625 (failed logon attempts) is crucial for intrusion detection. However, many administrators notice these events often lack source IP information:
<Data Name='IpAddress'>-</Data>
<Data Name='IpPort'>-</Data>
This creates a significant security blind spot where you can detect failed attempts but can't block the origin.
Several scenarios can produce IP-less 4625 events:
- NTLM authentication over SMB (port 445)
- Local authentication attempts
- Kerberos pre-authentication failures
- SSH or other non-RDP protocols
Combine these techniques to improve visibility:
# PowerShell to filter 4625 events with missing IPs
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625
} | Where-Object {
$_.Properties[19].Value -eq '-' -and
$_.Properties[8].Value -eq 3
} | Select-Object TimeCreated,Message
When IPs are unavailable, implement these compensating controls:
# Windows Firewall rule to block NTLM from untrusted subnets
netsh advfirewall firewall add rule name="Block NTLM Untrusted" dir=in action=block protocol=TCP localport=445 remoteip=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 program="System"
Enable additional auditing policies via GPO:
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy
- Audit Policy > Logon/Logoff > Audit Logon -> "Configure Failure"
- Enable "Audit Kerberos Authentication Service"
| Tool | IP Capture | Protocol Coverage |
|---|---|---|
| Windows Event Log | Partial | RDP/SMB/Kerberos |
| Firewall Logs | Complete | Network layer only |
| Third-party IDS | Complete | All protocols |
Here's how we implemented defense in depth for similar environments:
# Batch script to parse and alert on anonymous attempts
@echo off
for /f "tokens=1-2 delims=:" %%a in ('wevtutil qe Security /q:"*[System[(EventID=4625)]]" /f:text /rd:true /c:1 ^| find "WorkstationName"') do (
if "%%b" NEQ "-" (
echo %date% %time% - Anonymous attempt from %%b >> C:\Security\AnonymousAttempts.log
powershell -Command "Send-MailMessage -To admin@domain.com -Subject 'Anonymous login attempt' -Body 'Workstation: %%b'"
)
)