How to configure Microsoft Windows Server to log all failed and successful logon attempts. Edit Local Security Policy, Audit Policy.

Audit Policy Settings overview

System event logs are important part of RdpGuard detection engines, it is strongly recommended to enable audit for successful and failed logon events.

The following engines depend on audit of failed logon events:

The following features depend on audit of successful logon events:

Auto-reset of failed logon attempts counter for successfully logged in users
Notifications of successful logons

Please check out instructions below to learn more on adjusting audit settings

Configure Audit Policy Settings via Local Security Policy

1. Open the Local Security Policy editor by typing secpol.msc in the Run dialog box (press the Windows key + R to open the Run dialog box).

Open the Local Security Policy editor

You can open the Local Security Policy editor by entering "secpol.msc" into the Run dialog box.

The Local Security Policy snap-in will open:

Local Security Policy snap-in

2. In the left pane of the Local Security Policy editor, navigate to Security Settings, Advanced Audit Policy Configuration, Audit Policies, Logon/Logoff.

3. In the right pane of the Local Security Policy editor, double-click Audit Logon

The Audit logon Properties dialog will open:

Audit logon events Properties

The Audit logon Properties dialog.

4. Check the Success and Failure boxes under Audit these attempts

5. Click OK to save the changes.

The Audit Policy should look like below:

Configured Audit Policy

Configure Audit Policy Settings via CLI using AuditPol

1. Start Command Prompt (cmd.exe) as Administrator

2. Type the following command and press Enter

auditpol /set /subcategory:Logon /success:enable /failure:enable

3. You should see the following message:

The command was successfully executed.

Auditpol command in Command Prompt Window

How to Enable Audit for Failed and Successful Logon events

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes