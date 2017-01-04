Home Data Center Auditing Remote Desktop Services Logon Failures – Part 1

Today we’re going to tackle one of the most frustrating tasks of a Microsoft Remote Desktop Services administrator – tracking failed logons. Many administrators who have migrated their RDS collections from Windows Server 2008 to Windows Server 2012 are shocked to find that auditing RDS logons has changed considerably between the two operating systems.

Auditing Remote Desktop Services Logon Failures on Windows Server 2008 – RDP Security Layer or BustWindows Server 2008 can be configured to record detailed information about failed logon attempts with a Logon Type of 10, corresponding to a Terminal Server/Remote Desktop Services session.  This is recorded as Event ID 4625 in the Security Event Log.  Here’s an example of this event, taken from a system undergoing brute force attack attempts via RDP.  You can see that the attacker has used a username of user2, the attack is originating from 118.x.x.x, the logon type is 10 (RDP), and the Logon Process used is User32.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/23/2016 4:25:40 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: HONEYPOT
Description:
An account failed to log on.Subject:
Security ID: SYSTEM
Account Name: HONEYPOT$
Account Domain: WORKGROUP
Logon ID: 0x3e7Logon Type: 10Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user2
Account Domain: HONEYPOTFailure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064Process Information:
Caller Process ID: 0x87c
Caller Process Name: C:WindowsSystem32winlogon.exeNetwork Information:
Workstation Name: HONEYPOT
Source Network Address: 118.x.x.x
Source Port: 4375Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: –
Package Name (NTLM only): –
Key Length: 0

Read the entire article here, Auditing Remote Desktop Services Logon Failures (Part 1)

via the fine folks at PureRDS.org.

