Failed Logins -- Better Logging?

G

Greg

Does Windows 2003 provide better logging than the event viewer? I've
enabled success and failure for logins but it doesn't provide me with useful
information (what the attempted password was, IP address if any -- for
remote logon, etc.). Even the successful login info is dissapointing to me
since it doesn't provide any info about the computer used to logon.

Thanks.
 
J

Joe Richards [MVP]

IP address was supposed to be added in W2K3... I haven't looked, are you saying you have looked and it isn't there?
Password that was used is definitely not there and I would kick MS's ass if they even thought of doing that. That would
be a horrible security issue even if it were feasible (passwords aren't generally passed in clear text, it is usually a
hash/nonce scheme).
 
J

Joe Richards [MVP]

I just fired up my 2k3 laptop and slammed it with some bad hits and it is logging ip addresses. It is listed in the 529
events under Source Network Address.

Also it records IP's from successful logons as well.

--
Joe Richards
www.joeware.net
 
J

Joe Richards [MVP]

I am not sure it can be in W2K, from what I understand there were some considerable changes in some of the NetBIOS/IP
stuff to get the IP address up to the netbios provider for the logging.

--
Joe Richards
www.joeware.net
 
G

Greg

I'm seeing it now as well too (just did a clean install of it). Not sure
why it wasn't showing it before.

Joe Richards said:
I just fired up my 2k3 laptop and slammed it with some bad hits and it is
Click to expand...
logging ip addresses. It is listed in the 529
 
E

Eric Fitzgerald [MSFT]

IP address is in W2K3. Our security and auditing systems were designed to
be protocol-independent; IP address doesn't make much sense on NetBEUI or
IPX/SPX networks.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.
 
B

B. Goodman

IP address is in W2K3. Our security and auditing systems were designed to
be protocol-independent
Click to expand...

....which was a good strategy until the late '90s when they also became
"reality-independent". ;)

Would have been nice if MS had made a W2K add-in that would log IP
address like Server W2K3. But I expect I'm MUCH HAPPIER they spent
their resources giving us WMP 9 instead! ;)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event Viewer stopped logging security audit 1
Can a GINA STUB fulfil my requirement? 0
Security log - not logging failed login attempts 2
Failure audits not being logged 1
Event Viewer/ Success Audit 2
Apparent NetBIOS Attack - How Dangerous? 12
Failed Logon Events [Event ID 4625; Logon Type 8; Procss Name: w3wp; Process: Advapi] 1
Logins coming from macosx 4

Top