Link to home
Start Free TrialLog in
Avatar of dankyle67
dankyle67

asked on

Getting blocked attempts to access remote desktop server from unauthorized users

Under security in event logs on windows 2012 remote desktop server i noticed a lot of blocked attempts into the server using usernames that have already been deleted in active directory users and computers last year.  Does this signal possible hacking attempts to access our network?  Are there are other logs i can view or processes that can audit attempts by unauthorized users into the remote desktop server?
Avatar of noci
noci

you need to verify sources of the attempts... if they are from deleted accounts that might also be from services still running under old usernames...
Hi Dan,

In terms of other logs, you should install an AD Auditor like Managed Engine's Ad AuditPlus: https://www.manageengine.com/products/active-directory-audit/ They have a 30-day free trial running without limitation. It will be able to determine a ton across your whole network as well as what device/IP address is trying to login.

Let me know of you have any questions!
Get help from this auditing solution to audit Active Directory user logon/logoff events:
https://www.lepide.com/lepideauditor/active-directory-auditing.html

However, it seems like some service tried to logon some user with incorrect user credentials. Please check whether there are services that logon as those accounts. get help from this article audit the successful or failed logon attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/ 

How to Trace the Source of a Bad Password and Account Lockout in Active Directory:
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/

How to stop brute force attacks on Terminal Server:
https://serverfault.com/questions/230033/how-to-stop-brute-force-attacks-on-terminal-server-win2008r2
ASKER CERTIFIED SOLUTION
Avatar of Sara Teasdale
Sara Teasdale

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dankyle67

ASKER

Thanks for all the help, these are all good tools and practices.