Getting blocked attempts to access remote desktop server from unauthorized users

Under security in event logs on windows 2012 remote desktop server i noticed a lot of blocked attempts into the server using usernames that have already been deleted in active directory users and computers last year.  Does this signal possible hacking attempts to access our network?  Are there are other logs i can view or processes that can audit attempts by unauthorized users into the remote desktop server?
dankyle67Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
you need to verify sources of the attempts... if they are from deleted accounts that might also be from services still running under old usernames...
1
Blue Street TechLast KnightCommented:
Hi Dan,

In terms of other logs, you should install an AD Auditor like Managed Engine's Ad AuditPlus: https://www.manageengine.com/products/active-directory-audit/ They have a 30-day free trial running without limitation. It will be able to determine a ton across your whole network as well as what device/IP address is trying to login.

Let me know of you have any questions!
1
Naveen SharmaCommented:
Get help from this auditing solution to audit Active Directory user logon/logoff events:
https://www.lepide.com/lepideauditor/active-directory-auditing.html

However, it seems like some service tried to logon some user with incorrect user credentials. Please check whether there are services that logon as those accounts. get help from this article audit the successful or failed logon attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/ 

How to Trace the Source of a Bad Password and Account Lockout in Active Directory:
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/

How to stop brute force attacks on Terminal Server:
https://serverfault.com/questions/230033/how-to-stop-brute-force-attacks-on-terminal-server-win2008r2
0
Sara TeasdaleCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dankyle67Author Commented:
Thanks for all the help, these are all good tools and practices.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.