Jump to content
LabTechRob

How to: Get notifications on failed logon attempts

Recommended Posts

If you'd like to be alerted anytime a logon to a Windows system fails, the first thing you'll need to do is change the local policy of the target so that the failure results in a log entry. As this is essentially a one-liner, I'm just posting this script here in text:

 

SHELL: auditpol /set /subcategory:"logon" /success:disable /failure:enable AND STORE THE RESULT IN %SHELLRESULT%

 

On my script, I added two more lines for error handling:

 

If %shellresult% = "The command was successfully executed." THEN Exit Script

Create Information Alert: Policy modification failed

 

After you run that script on a target you should have a system that logs failed logons. Go ahead and do just that - sign in improperly and then sign in properly. Look at the logfiles. Is your entry there?

 

Open that computer's computer screen in LabTech, hit the 'Logs' tab and create a monitor against that log. I'd probably set the 'Alert Style' to 'Continuous' so if newb haxor guy tries to brute force a desktop or server, my phone will start chiming.

 

Combine that script and monitor within a group and you've a new product offering or bundle it in with your existing services to make your offerings a tiny bit better. Either way, Happy LabTeching!

Share this post


Link to post
Share on other sites

Windows already logs this in the security log, Event log 4624 is for windows logon events, type 2 is local, type 3 is IIS and other network logins, type 10 is RDP/RDS login attempt. There are some other types as well. On the few servers I manage that have RDP open to the internet I have a powershell script that runs every 15 minutes that scans the event logs, if there are more than 10 failed logon type 10 events from a single IP address it adds that IP to a windows firewall rule that blocks all connections from the said IP. there is some logic in there to prevent local or specific IPs from being blocked if needed. Obviously this only works on 2008 and newer and not 2003 server.

Share this post


Link to post
Share on other sites
Windows already logs this in the security log, Event log 4624 is for windows logon events, type 2 is local, type 3 is IIS and other network logins, type 10 is RDP/RDS login attempt. There are some other types as well. On the few servers I manage that have RDP open to the internet I have a powershell script that runs every 15 minutes that scans the event logs, if there are more than 10 failed logon type 10 events from a single IP address it adds that IP to a windows firewall rule that blocks all connections from the said IP. there is some logic in there to prevent local or specific IPs from being blocked if needed. Obviously this only works on 2008 and newer and not 2003 server.

 

Can you share that script with me? I have a few servers open to the Internet as well for RDP.

Share this post


Link to post
Share on other sites

I believe this is the script he was referring to. I use it as well. In my opinion, it works great! However, I would like to figure out how to set a monitor to notify me when IP's have been blocked. Also, I can't figure out how to exclude LOCAL IP's from being blocked... Regardless, MY IP Blocklist is quite large, but rarely but it does happen I get a local IP in there and computer cannot logon until I remove it from the firewall rule.

https://blog.watchpointdata.com/rdp-brute-force-attack-detection-and-blacklisting-with-powershell

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...