How to capture IP Addreess in Event ID 4625

Server Cloak do work even when Event ID 4625 failed to capture the Source IP Address by monitoring log from RemoteDesktopServices's Core. I've tested the same on Server 2012 & R2 & Server 2016. Its possible and secure to use Server Cloak with NTLM enable and with encrypted connection.

The issue:
While using any other Intrusion Detection systems like Cyberarms IDDS or Syspeace on Microsoft servers the Remote Desktop connection can be used with or without NTLM. But the point is that you won't be able to capture failed login attempts while using a secure NTLM or NTLMv2. Apparently this is a known bug in NTLM authentication and Microsoft has not fixed it till date.

The solution for other Intrusion Detection systems is to use the User32 as logon process instead of NTML. This works good with Windows Server 2008 R2 and newer Windows Servers, I've tested the same upto Windows Server 2016.

Workaround: for other Intrusion Detection systems Change the below settings to switch from NTLM to User32 logon process, the process to setup User32 logon process is mostly similar in Windows Operating Systems/Servers.

System Properties -> Remote ->
* Select Allow Remote Connections to this computer
* Do not select Allow connections only from computers running Remote Desktop with Network Level Authentication

Security Policy (secpol.msc) -> Local Policy -> Security Options
* Network Security -> Incoming NTLM Traffic : Deny All Account
* Network Security -> NTLM authentication in this domain : Deny All

Watch this on Youtube

Note : User32 is not a recommend method as its not secured or encrypted