Solved

Tracking Failed Logins

Posted on 2004-09-14
21
237 Views
Last Modified: 2010-04-14
I need to track failed logins on a Terminal Server, any suggestions?
0
Comment
Question by:JoshDale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
21 Comments
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12055920
failed logons should be logged underneath the Event Viewer > Security provided you have enabled that logging feature.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12055937
Auditing and Intrusion Detection
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx

check the section on auditing.
0
 

Author Comment

by:JoshDale
ID: 12055941
it should have, but in testing it, I don't see any of the failed logins. Also I created a group policy to lock the users account after 5 failed attempts, and it doesn't do that either. Am I missing something?
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 8

Expert Comment

by:RevelationCS
ID: 12055946
to further clairify, it would show as a "failed audit" under the Security panel of the Event Viewer....
0
 

Author Comment

by:JoshDale
ID: 12056021
yea, it doesn't show any failed audits
0
 

Author Comment

by:JoshDale
ID: 12056029
It did show when a password expired but not my failed login attempts.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12056644
highlight Security
Click Action > Properties > Filter and make sure "Failed Audits" is checked
0
 

Author Comment

by:JoshDale
ID: 12056861
Yup, Failure Audit is checked.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057014
are you sure you are looking at the correct machine? I tested this on several of my servers (all running TS) and had no issues with it...

also, try checking under the GPO Policy and making sure that under Windows Configuration that your Audit and Security Policies are correct
0
 
LVL 8

Accepted Solution

by:
RevelationCS earned 500 total points
ID: 12057044
most importantly:

Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policies

Edit Audit Logon Events and Audit Account Logon Events to audit successes and failures (double click on both policies to edit)
0
 

Author Comment

by:JoshDale
ID: 12057120
Yea, they are all set to sucess and failure but I forgot one thing, Active Directory is overriding my local policies, so I am going to check there really fast.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057142
that is most likely where the issue is at then... one minor detail there on the type of environment you have ;)
0
 

Author Comment

by:JoshDale
ID: 12057255
Yea, I just took over the network from another company, and I don't know everything but I know they butchered this network. Now I have to go through and figure everything out.

Thanks for the help
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057441
glad to have helped.. feel free to come back if you have any other questions....
0
 

Author Comment

by:JoshDale
ID: 12057469
Thanks.
0
 

Author Comment

by:JoshDale
ID: 12057479
Hey, you got any suggestions for good books on securing active directory, or doing security through active directory?
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057542
Best recommendation would be to use www.microsoft.com as they would be the most knowledgable on the topic ;)
0
 

Author Comment

by:JoshDale
ID: 12057664
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057738
same site ;)

with the first link, however, you can do a more expansive search that would include the Knowledge Base and other areas that might not be included with the "Security" section... Hope it helps though... otherwise, try taking a look at www.amazon.com and seeing which books come up for Active Directory
0
 

Author Comment

by:JoshDale
ID: 12057799
Yea, thanks for the help dude.
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12057847
np... always a pleasure to be able to assist here...
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question