Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 216
  • Last Modified:

How to determine source of failed login for Remote Web Workplace

I've had a lot of failed login lately via RWW on our SBS 2008 server. I find these in the Event Security log under event ID 4771 and I have a task created to send me a message when failures occur.

If someone on the local domain fails, the event shows a Client Address as one of the LAN workstations. However, for some questionable failures, the IP address is ::1. Clearly this tells me nothing. Is there a way to see the actual IP address from where this attempt is originating?
1 Solution
Cliff GaliherCommented:
You'll have to look at the IIS logs. The RWA website uses forms based authentication, so a user fills out a form and IIS attempts to authenticate against AD on behalf of the user so the IP is the local loopback address. That behavior is expected.

That means finding the source is a matter of digging through the IIS web logs though for the time of the authentication failure. Or use a log parsing tool.

I'll tell you now that RWA is on the net. Random IP scanners will find it and then attempt to exploit old (parched) IIS bugs to breach. Failed authents on RWA is unavoidable if you are offering remote access at all.
jmarkfoleyAuthor Commented:
Thanks, I'll check out the logfiles.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now