Solved

How do you audit RDP / Terminal Server hacking attempts in Windows 2008

Posted on 2010-09-22
6
1,248 Views
Last Modified: 2012-05-10
I've deliberately tried 'hacking' one of the windows 2008 servers in our organization with an incorrect password, but never see any indication in the event log.  Has this been removed?  Is there a new and improved way of doing this with Windows 2008 server?
0
Comment
Question by:stonenajem
  • 4
6 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33740335
You could do this by enforcing a lockout policy (meaning after like 3 attempts they get locked for 15 minutes).  The process of getting locked out would be in the Windows Event Log under security.
0
 

Author Comment

by:stonenajem
ID: 33740350
Thanks, but my question specifically is about how these events are logged now.
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 33740383
the password attempts should still be in the security event log
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:stonenajem
ID: 33740390
That's my issue.  They appear if I use something other than administrator, but not if the administrator account is attempted.
0
 

Author Comment

by:stonenajem
ID: 33740405
Wolf - if you have a Windows 2008 server, would you do me a favor?  Make ~10 attempts from outside your network to RDP using the administrative account and a wrong password.  Cut and paste the log entries here.  I'm going to try to do a reasonable comparison of what you're showing to what I'm showing.
0
 

Accepted Solution

by:
stonenajem earned 0 total points
ID: 33749717
This appears to be related to IP6, and will display audit failure messages only if attempted from outside the network.  Not sure why, and not going to pursue the question further.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now