Solved

How do you audit RDP / Terminal Server hacking attempts in Windows 2008

Posted on 2010-09-22
6
1,253 Views
Last Modified: 2012-05-10
I've deliberately tried 'hacking' one of the windows 2008 servers in our organization with an incorrect password, but never see any indication in the event log.  Has this been removed?  Is there a new and improved way of doing this with Windows 2008 server?
0
Comment
Question by:stonenajem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33740335
You could do this by enforcing a lockout policy (meaning after like 3 attempts they get locked for 15 minutes).  The process of getting locked out would be in the Windows Event Log under security.
0
 

Author Comment

by:stonenajem
ID: 33740350
Thanks, but my question specifically is about how these events are logged now.
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 33740383
the password attempts should still be in the security event log
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:stonenajem
ID: 33740390
That's my issue.  They appear if I use something other than administrator, but not if the administrator account is attempted.
0
 

Author Comment

by:stonenajem
ID: 33740405
Wolf - if you have a Windows 2008 server, would you do me a favor?  Make ~10 attempts from outside your network to RDP using the administrative account and a wrong password.  Cut and paste the log entries here.  I'm going to try to do a reasonable comparison of what you're showing to what I'm showing.
0
 

Accepted Solution

by:
stonenajem earned 0 total points
ID: 33749717
This appears to be related to IP6, and will display audit failure messages only if attempted from outside the network.  Not sure why, and not going to pursue the question further.
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question