Tracking Failed Logins

I need to track failed logins on a Terminal Server, any suggestions?
JoshDaleAsked:
Who is Participating?
 
RevelationCSConnect With a Mentor Commented:
most importantly:

Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policies

Edit Audit Logon Events and Audit Account Logon Events to audit successes and failures (double click on both policies to edit)
0
 
RevelationCSCommented:
failed logons should be logged underneath the Event Viewer > Security provided you have enabled that logging feature.
0
 
Yan_westCommented:
Auditing and Intrusion Detection
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx

check the section on auditing.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
JoshDaleAuthor Commented:
it should have, but in testing it, I don't see any of the failed logins. Also I created a group policy to lock the users account after 5 failed attempts, and it doesn't do that either. Am I missing something?
0
 
RevelationCSCommented:
to further clairify, it would show as a "failed audit" under the Security panel of the Event Viewer....
0
 
JoshDaleAuthor Commented:
yea, it doesn't show any failed audits
0
 
JoshDaleAuthor Commented:
It did show when a password expired but not my failed login attempts.
0
 
RevelationCSCommented:
highlight Security
Click Action > Properties > Filter and make sure "Failed Audits" is checked
0
 
JoshDaleAuthor Commented:
Yup, Failure Audit is checked.
0
 
RevelationCSCommented:
are you sure you are looking at the correct machine? I tested this on several of my servers (all running TS) and had no issues with it...

also, try checking under the GPO Policy and making sure that under Windows Configuration that your Audit and Security Policies are correct
0
 
JoshDaleAuthor Commented:
Yea, they are all set to sucess and failure but I forgot one thing, Active Directory is overriding my local policies, so I am going to check there really fast.
0
 
RevelationCSCommented:
that is most likely where the issue is at then... one minor detail there on the type of environment you have ;)
0
 
JoshDaleAuthor Commented:
Yea, I just took over the network from another company, and I don't know everything but I know they butchered this network. Now I have to go through and figure everything out.

Thanks for the help
0
 
RevelationCSCommented:
glad to have helped.. feel free to come back if you have any other questions....
0
 
JoshDaleAuthor Commented:
Thanks.
0
 
JoshDaleAuthor Commented:
Hey, you got any suggestions for good books on securing active directory, or doing security through active directory?
0
 
RevelationCSCommented:
Best recommendation would be to use www.microsoft.com as they would be the most knowledgable on the topic ;)
0
 
JoshDaleAuthor Commented:
0
 
RevelationCSCommented:
same site ;)

with the first link, however, you can do a more expansive search that would include the Knowledge Base and other areas that might not be included with the "Security" section... Hope it helps though... otherwise, try taking a look at www.amazon.com and seeing which books come up for Active Directory
0
 
JoshDaleAuthor Commented:
Yea, thanks for the help dude.
0
 
RevelationCSCommented:
np... always a pleasure to be able to assist here...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.