1

Im looking for a way to monitor our group of servers, so that any failed login attempts (either at the systems keyboard and mouse or via RDP) are brought to my attention, either real time or on a schedule.

to give some background my server group is setup on a workgroup (no domain) and is a mix of windows 2003 servers with one 2008 enterprise system.

all i really want is a method of being alerted when someone trys to login to the server and fails. i know i might get some false positives from people who should be accessing it but have mistyped but i am willing to put up with these to make sure our systems are safe.

ideally if its an application it should be free, but im willing to look at pay software as long as its upto the job.

thanks Kris

Kristiaan
  • 432
  • 1
  • 9
  • 21

1 Answers1

2

I thought that failed login attempts were logged automatically, but I've just tried it and they're not.

However, I have found this page which details the steps for Windows Server 2003. I would expect the process to be very similar if not identical for your 2008 Enterprise machine.

You run "gpedit.msc", then

Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Or you can just select Control Panel > Administrative Tools > Local Security Policy > Local Policies > Audit Policy

Then for "Audit account logon events" check "Success" and/or "Failure" depending on which type of attempt you want to monitor. In your case it's "Failure".

I'm not sure how you'd get automatic notification of these, but you can connect to another computer in the Event Viewer. If you didn't have many servers to check you could make it part of your daily routine - but that's far from ideal.

Alternatively you could write a script or small program to periodically check the logs. Check the answers to this question for some ideas.

Community
  • 1
ChrisF
  • 1,861
  • 1
  • 21
  • 28