Alert for unsuccessful admin login attempts

I am tasked to setup an alert for unsuccessful admin login attempts at our company to satisfy cyber security controls.  We have 2 offices and 4 home offices - the main office logs into our Windows 2012 server and then everyone logs into our Windows 2012 RDS server for all network resources.  
How can I set some sort of alert for unsuccessful admin login attempts?  I understand that event ID 4625 is the main unsuccessful login attempt identifier, and I'm ok with using that even though it is not strictly for admin logins, but where would I create this (I assume a group policy)?  On the Domain Controller (AD Server), RDS server, workstation (for all local domain logins in the main office), or all 3.  I was hoping only one server (AD server?) could do this.
carilouAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You would be looking at the the RDS server event log for 4625 events. The username for administrators will be shown.

However not so much of admin tracking but good to note remote source logon attempts.  For example, if an attacker attempts to logon but fails to do so and uses a username that does not exist on the targeted RDS host or domain that the host is a member of, Event ID 140 is logged, showing you the source IP of the attacker. However, if the attacker is using a username which exists on the target machine, you will not see 141 and you can still correlate the timestamps of Event ID 4625 (Network Type 3) in the Security Log with the timestamps of Event ID 131 to find the IP source. That said with the IP source, you probably can check for the logon user but you need the actual server event logon id event based on a close timestamp to check the actual username used for such remote access into your server.
http://purerds.org/remote-desktop-security/auditing-remote-desktop-services-logon-failures-1/

In short, you can track down and correlate generic network logon failure events (Event ID 4625 with Logon Type 3) in the Security Log to remote desktop logon attempts by using Event IDs 131 and 140 in the RdpCoreTS channel log. This means the logon failure is associated with the IP address referenced in the 131 and/or 140 events that normally will come early before the 4625 events..

Back to the admin tracking, it is best to still have a jumphost that does the central oversight for admin login and it can better suit your use case to track on top of the server logon of admin accounts. Note AD log only contain authentication not logon. But you can go into tracking really the activities of user including admin with other event IDs. See this.
https://www.eventtracker.com/tech-articles/following-a-users-logon-tracks-throughout-the-windows-domain/
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Naveen SharmaCommented:
Here is an article which lets you how to audit the successful or failed logon and logoff attempts in the network using the audit policies: https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

Track the Source of Failed Logon Attempts in Active Directory:
http://expert-advice.org/active-directory/track-the-source-of-failed-logon-attempts-in-active-directory/

Also, have a look at this Active Directory auditing solution to track all the logon/logoff activities of Active Directory users along with this solution also sends real-time and threshold-based alerts for successful user logon or logoff, and domain controller logon or logoff.
0
Sara TeasdaleCommented:
You can do this with just about any log management platform. Configure your auditing policy and forward event logs from your DCs, then setup alerts with your desired threshold.

https://www.poweradmin.com/blog/monitor-failed-user-logins-in-active-directory/

https://www.netwrix.com/kb/1223

However, there is a third party product that will offer a more complete and unified system of email notification. Please reference the "Event Sentry" product by Netikus.Net:

http://www.netikus.net/

https://www.netwrix.com/kb/1545
1
Naveen SharmaCommented:
Answered
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cyber Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.