Logging Failed Log-in Attempts

Preface:

This will show you how to set up Windows Server 2003 to log failed attempts at logging into the system, along with the failed passwords, etc.

Method:

Click Start then Run..

In the Run box type "gpedit.msc"

Under Computer Configuration Click the + next to Windows Settings, then Security Settings, Local Policies, and click Audit Policy

Double click Audit account logon events, make sure success is checked, then check failure also

Do the same for Audit logon events

Now, any unsuccessful log-ins will be shown in the Security section of the Event Viewer. The following information about the log-in failure will be displayed:

Reason
User Name
Domain (or computer name if no domain is present)
Logon Type
Logon Process
Authentication Package
Workstation Name
Caller User Name
Caller Domain (or workgroup)
Caller Logon ID
Caller Process ID
Transited Services
Source Network Address
Source Port

If you notice this repeatedly from the same computer (it shows the workstation name and IP) then you can take appropriate actions.

<-- Go back to the main tutorial page