Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do you audit RDP / Terminal Server hacking attempts in Windows 2008

Posted on 2010-09-22
6
Medium Priority
?
1,268 Views
Last Modified: 2012-05-10
I've deliberately tried 'hacking' one of the windows 2008 servers in our organization with an incorrect password, but never see any indication in the event log.  Has this been removed?  Is there a new and improved way of doing this with Windows 2008 server?
0
Comment
Question by:stonenajem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33740335
You could do this by enforcing a lockout policy (meaning after like 3 attempts they get locked for 15 minutes).  The process of getting locked out would be in the Windows Event Log under security.
0
 

Author Comment

by:stonenajem
ID: 33740350
Thanks, but my question specifically is about how these events are logged now.
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 33740383
the password attempts should still be in the security event log
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:stonenajem
ID: 33740390
That's my issue.  They appear if I use something other than administrator, but not if the administrator account is attempted.
0
 

Author Comment

by:stonenajem
ID: 33740405
Wolf - if you have a Windows 2008 server, would you do me a favor?  Make ~10 attempts from outside your network to RDP using the administrative account and a wrong password.  Cut and paste the log entries here.  I'm going to try to do a reasonable comparison of what you're showing to what I'm showing.
0
 

Accepted Solution

by:
stonenajem earned 0 total points
ID: 33749717
This appears to be related to IP6, and will display audit failure messages only if attempted from outside the network.  Not sure why, and not going to pursue the question further.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every system administrator encounters once in while in a problem where the solution seems to be a needle in haystack.  My needle was an anti-virus version causing problems with my Exchange server. I have an HP DL350 with Windows Server 2008 Stand…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question