dankyle67
asked on
Getting blocked attempts to access remote desktop server from unauthorized users
Under security in event logs on windows 2012 remote desktop server i noticed a lot of blocked attempts into the server using usernames that have already been deleted in active directory users and computers last year. Does this signal possible hacking attempts to access our network? Are there are other logs i can view or processes that can audit attempts by unauthorized users into the remote desktop server?
you need to verify sources of the attempts... if they are from deleted accounts that might also be from services still running under old usernames...
Hi Dan,
In terms of other logs, you should install an AD Auditor like Managed Engine's Ad AuditPlus: https://www.manageengine.com/products/active-directory-audit/ They have a 30-day free trial running without limitation. It will be able to determine a ton across your whole network as well as what device/IP address is trying to login.
Let me know of you have any questions!
In terms of other logs, you should install an AD Auditor like Managed Engine's Ad AuditPlus: https://www.manageengine.com/products/active-directory-audit/ They have a 30-day free trial running without limitation. It will be able to determine a ton across your whole network as well as what device/IP address is trying to login.
Let me know of you have any questions!
Get help from this auditing solution to audit Active Directory user logon/logoff events:
https://www.lepide.com/lepideauditor/active-directory-auditing.html
However, it seems like some service tried to logon some user with incorrect user credentials. Please check whether there are services that logon as those accounts. get help from this article audit the successful or failed logon attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
How to Trace the Source of a Bad Password and Account Lockout in Active Directory:
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/
How to stop brute force attacks on Terminal Server:
https://serverfault.com/questions/230033/how-to-stop-brute-force-attacks-on-terminal-server-win2008r2
https://www.lepide.com/lepideauditor/active-directory-auditing.html
However, it seems like some service tried to logon some user with incorrect user credentials. Please check whether there are services that logon as those accounts. get help from this article audit the successful or failed logon attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
How to Trace the Source of a Bad Password and Account Lockout in Active Directory:
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/
How to stop brute force attacks on Terminal Server:
https://serverfault.com/questions/230033/how-to-stop-brute-force-attacks-on-terminal-server-win2008r2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the help, these are all good tools and practices.