0

In windows server 2003 when an Event 529 (logon failure) occures with a logon type of 10 (remote logon), the source network IP address is recorded in the event log.

On a windows XP machine, this (and some other details) are omitted.

If a bot is trying a brute force over RDP (some of my XP machines are (and need to be) exposed with a public IP address), i cannot see the originating IP address so i don't know what to block (with a script i run every few minutes).

The DC does not log this detail either when the logon attempt is to the client xp machine and the DC is only asked to authenticate the credentials.

Any help getting this detail in the log would be appreciated.

Sam Halicke
  • 6,222
  • 1
  • 25
  • 35
Make it useful Keep it simple
  • 188
  • 1
  • 10
  • Why not look in your firewall logs? – joeqwerty Jul 05 '10 at 21:41
  • @joeqwerty I don't currently have windows firewall configured on my xp machines. If i enabled it, and enable it's log, how would i distinguish between the valid connection that an authenticated user is using and the one the bot is using to try all the user names and passwords it could? – Make it useful Keep it simple Jul 05 '10 at 22:19
  • So you have no firewall protecting your internal network? That doesn't sound good. As far as turning on the Windows firewall and log, it should be relatively easy to discern which connections are legitimate and which aren't: for those connections that aren't legitimate you should see a large number of connections, in rapid succession, from the same or similar ip addresses. – joeqwerty Jul 05 '10 at 23:30
  • @joequerty The bot will likely open one connection and then try multiple user names/passwords over that same connection. the windows firewall log will only log a single connection being established - much like the one where the user successfully authenticates. – Make it useful Keep it simple Jul 06 '10 at 00:01
  • The only way you'll know for sure is to try it. Right now you have no information that's helpful in tracking it down, what do you have to lose by trying it? If it doesn't help then you're no worse off than you are now. – joeqwerty Jul 06 '10 at 00:07

1 Answers1

1

Description of the Port Reporter Parser (PR-Parser) tool http://support.microsoft.com/default.aspx?scid=kb;en-us;884289

ocanada_techguy
  • 11
  • 1