I have an application running on a domain joined Windows Server 2019 server called AppSrv that writes images out to a non-domain DMZ Windows Server 2019 server called WebSrv. A drive is shared from WebSrv as drive Z: on AppSrv. The application then just saves the images out to Z:\Some\Folder\Structure\Image.jpg. The files are being saved correctly but if I look in the event log of WebSrv, I can see the following events when the images are saved ok:
Audit Success 4776 Credential Validation:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Tally
Source Workstation: AppSrv
Error Code: 0x0
Audit Success 4624 Logon:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: WEBSRV\Tally
Account Name: Tally
Account Domain: WEBSRV
Logon ID: 0xA0A0A0A0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: AppSrv
Source Network Address: 192.168.1.7
Source Port: 56594
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
But then there are also a bunch of these types of messages:
Audit Failure 4625 Logon:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: APPSRV$
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: AppSrv
Source Network Address: 192.168.1.7
Source Port: 56600
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
They occur both before and after the successful login and they occur a lot. Obviously the AppSrv computer account is not valid on a non-domain joined server so I can see why the login attempts are failing. Why is the AppSrv trying to login to WebSrv so much with its computer account though?
As the image save is working, this wouldn't be a big deal except that this is causing Brute Force Attempt errors on my firewall.
