?
Solved

Tracking Failed Logins

Posted on 2004-09-14
21
Medium Priority
?
242 Views
Last Modified: 2010-04-14
I need to track failed logins on a Terminal Server, any suggestions?
0
Comment
Question by:JoshDale
  • 10
  • 10
21 Comments
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12055920
failed logons should be logged underneath the Event Viewer > Security provided you have enabled that logging feature.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12055937
Auditing and Intrusion Detection
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx

check the section on auditing.
0
 

Author Comment

by:JoshDale
ID: 12055941
it should have, but in testing it, I don't see any of the failed logins. Also I created a group policy to lock the users account after 5 failed attempts, and it doesn't do that either. Am I missing something?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
LVL 8

Expert Comment

by:RevelationCS
ID: 12055946
to further clairify, it would show as a "failed audit" under the Security panel of the Event Viewer....
0
 

Author Comment

by:JoshDale
ID: 12056021
yea, it doesn't show any failed audits
0
 

Author Comment

by:JoshDale
ID: 12056029
It did show when a password expired but not my failed login attempts.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12056644
highlight Security
Click Action > Properties > Filter and make sure "Failed Audits" is checked
0
 

Author Comment

by:JoshDale
ID: 12056861
Yup, Failure Audit is checked.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057014
are you sure you are looking at the correct machine? I tested this on several of my servers (all running TS) and had no issues with it...

also, try checking under the GPO Policy and making sure that under Windows Configuration that your Audit and Security Policies are correct
0
 
LVL 8

Accepted Solution

by:
RevelationCS earned 2000 total points
ID: 12057044
most importantly:

Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policies

Edit Audit Logon Events and Audit Account Logon Events to audit successes and failures (double click on both policies to edit)
0
 

Author Comment

by:JoshDale
ID: 12057120
Yea, they are all set to sucess and failure but I forgot one thing, Active Directory is overriding my local policies, so I am going to check there really fast.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057142
that is most likely where the issue is at then... one minor detail there on the type of environment you have ;)
0
 

Author Comment

by:JoshDale
ID: 12057255
Yea, I just took over the network from another company, and I don't know everything but I know they butchered this network. Now I have to go through and figure everything out.

Thanks for the help
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057441
glad to have helped.. feel free to come back if you have any other questions....
0
 

Author Comment

by:JoshDale
ID: 12057469
Thanks.
0
 

Author Comment

by:JoshDale
ID: 12057479
Hey, you got any suggestions for good books on securing active directory, or doing security through active directory?
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057542
Best recommendation would be to use www.microsoft.com as they would be the most knowledgable on the topic ;)
0
 

Author Comment

by:JoshDale
ID: 12057664
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057738
same site ;)

with the first link, however, you can do a more expansive search that would include the Knowledge Base and other areas that might not be included with the "Security" section... Hope it helps though... otherwise, try taking a look at www.amazon.com and seeing which books come up for Active Directory
0
 

Author Comment

by:JoshDale
ID: 12057799
Yea, thanks for the help dude.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057847
np... always a pleasure to be able to assist here...
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Tech giants such as Amazon and Google have sold Alexa and Echo to such an extent that they have become household names. And soon they are expected to be used by commoners in their homes, ordering takeout, picking out a song, answering trivia questio…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question