Log the ?source network address? in Event ID 529 entries on Windows XP - TechRepublic
Question
July 8, 2010 at 10:48 PM
sholomke

Log the ?source network address? in Event ID 529 entries on Windows XP

by sholomke . Updated 15 years, 12 months ago

In windows server 2003 when an Event 529 (logon failure) occures with a logon type of 10 (remote logon), the source network IP address is recorded in the event log.

On a windows XP machine, this (and some other details) are omitted.

If a bot is trying a brute force over RDP (some of my XP machines are (and need to be) exposed with a public IP address), i cannot see the originating IP address so i don’t know what to block (with a script i run every few minutes).

The DC does not log this detail either when the logon attempt is to the client xp machine and the DC is only asked to authenticate the credentials.

Any help getting this detail in the log would be appreciated.

This discussion is locked

All Comments