Rules

Secret ingredients to quality software

Edit
Info

Do you use Group Policy to enable auditing of logon attempts​?

Last updated by Tiago Araujo on 24 Jul 2019 09:48 pm (almost 2 years ago) See History

It is important as a Network Administrator to know when and where failed login attempts are coming from. Through Group Policy you can enable "Audit logon events".

  1. Create a group policy called 'Logon Auditing Policy'
  2. Right click on 'Logon Auditing Policy' and click on Edit to bring up Group Policy Management Editor
  3. Select 'Audit account logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure
  4. Select 'Audit logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure

failed login 1
Figure: Select 'Audit logon events'

  1. Select 'Audit: Force audit policy...' from Computer Configuration | Policies | Windows Settings | Local Policies | Security Options and set to Enabled

failed login 2
Figure: Select 'Audit: Force audit policy...'

failed login 3
Figure: Successful and Failed login attempts will now appear in Event Viewer | Security

Now when you will have access to seeing success/failed login attempts on user accounts, these can then be captured and audited with your own internal process or a third party application such as Whats Up Gold, see: Do you monitor failed login attempts?

Steven AndrewsSteven Andrews

We open source. This page is on GitHub