Where do you find the security log files on hack in attempts

Up until recently, I had been using the old RDP with port 3389. This, of course, would leave me open to attacks. I am using SBS2008, and I cannot find where to find a record of these. I have gone to evtvwr and looked under system and security logs and can't seem to find them.

Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You need to enable the auditing for that from group policy. You can modify it by going to default domain policy and enable both success and failures. From now on you will see the successful logons and failed logons in event viewer.

Bert2005Author Commented:
Hi moon blue69,

Thanks. That seems easy enough. I went to the default domain policy => Computer configuration => Policies => Windows settings.

I could find out how to enable logons from within the domain but not from outside the network.

Where would I find this? Thanks.

Hi Bert,

Did you mean you want to see who all logged in remotely to the server using remote desktop(port 3389)?


Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Bert2005Author Commented:
Sort of. I am trying to know who is trying to hack into my server through any port, but 3389 is most common.

I am  not interested in internal logons. And, I am not too interested in seeing who logged in remotely, mainly because I would be the only one.

But, when a hacker tries to get in by using a port, namely 3389, and then guessing the password, I want to be able to find the log that says such and such IP address to log into your server at such and such a time and was unsuccessful.


This remote login attempts will be logged if you enable success and failure of logons.
If you normally logon using "administrator" as your user name, please rename it to something else. Now a potential hacker has to guess two things, ie the username and the password. Please make a pass phrase that a password. Minimum 14 characters long that will be hard to break even with the brute force attack. Expire the password ever 40 - 60 days. Even if your passowrd is compormised they wont get access for ever.

I think with all these in place you will be better off.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bert2005Author Commented:
Thanks. that is very helpful. I will take your advice.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.