Audit Policy Settings

System event logs are important part of RdpGuard detection engines, it is strongly recommended to enable audit for successful and failed logon events.

The following engines depend on audit of failed logon events:

• RDP Detection Engine
• RDWeb Detection Engine

The following features depend on audit of successful logon events:

• Auto-reset of failed logon attempts counter for successfully logged in users
• Notifications of successfull logons

To Enable Audit for Logon Events

1. Start Command Prompt (cmd.exe) as Administrator

2. Type the following command and press Enter

auditpol /set /subcategory:Logon /success:enable /failure:enable

3. You should see the following message:

The command was successfully executed.

How to Enable Audit for Failed and Successful Logon events

To Enable Audit for Logon Events (alternative way)

1. Click Start -> Administrative Tools -> Local Security Policy

Click Start -> Administrative Tools -> Local Security Policy

Local Security Policy snap-in will open:

Local Security Policy snap-in

2. Open Security Settings, Local Policies, Audit Policy

3. Double click on Audit logon events.

Audit logon events Properties dialog will open:

Audit logon events Properties Dialog

4. Set Audit these attempts to Failure and Success(optionally) and click OK.

5. Repeat steps 3-4 for Audit logon events.

Audit Policy should look like below:

Configured Audit Policy

RdpGuard protects:

• Remote Desktop
• MS-SQL Server
• FTP Protocol
• IMAP Protocol
• POP3 Protocol
• SMTP Protocol
• IIS Web Login
• MySQL Server
• ASP.NET Forms
• RD Web Access
• VoIP (SIP Protocol)

RdpGuard

 

People like RdpGuard!