How to determine source of failed login for Remote Web Workplace

Posted on 2014-08-22
Last Modified: 2014-08-25
I've had a lot of failed login lately via RWW on our SBS 2008 server. I find these in the Event Security log under event ID 4771 and I have a task created to send me a message when failures occur.

If someone on the local domain fails, the event shows a Client Address as one of the LAN workstations. However, for some questionable failures, the IP address is ::1. Clearly this tells me nothing. Is there a way to see the actual IP address from where this attempt is originating?
Question by:jmarkfoley
    LVL 56

    Accepted Solution

    You'll have to look at the IIS logs. The RWA website uses forms based authentication, so a user fills out a form and IIS attempts to authenticate against AD on behalf of the user so the IP is the local loopback address. That behavior is expected.

    That means finding the source is a matter of digging through the IIS web logs though for the time of the authentication failure. Or use a log parsing tool.

    I'll tell you now that RWA is on the net. Random IP scanners will find it and then attempt to exploit old (parched) IIS bugs to breach. Failed authents on RWA is unavoidable if you are offering remote access at all.
    LVL 1

    Author Closing Comment

    Thanks, I'll check out the logfiles.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now