Windows Server Failed Logons

Overview

Email alerts were setup so that if there were any failed logon attempts on any servers we would get an email notification. Soon started getting lots of emails warning of Audit Failure Event ID 4625 for one particular server which was acting as an RDGateway, RDWeb and RDConnection Broker.

On investigation it didn’t look like a credible threat as the account name was the name of the server and looked something like this (Account name and Domain removed for security reasons):-

Groups of these failures were being registered every several minutes. Turning off the Event ID 4625 on the filter and then browsing to find one, it showed that a lot of the time the preceding entry related to A logon was attempted using explicit credentials which related to

Process Information:

Process ID: 0x18e8

Process Name: C:\Windows\System32\tssdis.exe

This executable is used by the service Remote Desktop Connection Broker.

Appears that over a period of time this service may fail authentication if the machines account password is changed. The simple fix is to just restart the service. Restarting it will deny new connections while it’s not running, but won’t disconnect active connections. Restarting the service though is instant so isn’t viewed as an issue.

Computer machine passwords change once every 30 days and create a entry with event ID 5823. One solution to fix the issue is to create a scheduled task that is triggered by event ID 5823 and restarts the Remote Desktop Connection Broker service as an action.