How to track logon attempts onto a WinXP/Server 2003 system

While looking for a way to figure out how long since a server last rebooted, I ran across the wonderful:

net statistics server

command. Gleefully I sent this off to my boss since it showed an uptime far longer than we were accustomed to. My glee was especially pronounced because the last server reboot had occured after I made a configuration change done specifically to increase uptime.

Of course, my boss was much more concerned about some other information revealed by net statistics server; namely, the number next to the phrase "password violations". Now I'm pretty sure that it's mainly people forgetting their password, autologon attempts that use the wrong password, etc... Par for the course in a Windows network.

Turns out Windows can write event log messages tracking detailed information about these sorts of activities. For instance, you can have Windows write an event log entry everytime someone successfully logs onto the machine. To do this:
  • Start gpedit.msc (from the run prompt).
  • Browse to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
  • Double click "Audit Logon Events" then make sure both success and failure are checked.
  • Click OK.

That's it! Easily tested with a logon attempt using the wrong password. Remember to make sure you event log is sized properly and configured to rollover so that it doesn't fill up your hard drive.

No comments:

Post a Comment