Kaseya Community

Windows Security Log: failed login - alert?

This question is answered

Hi, Im new to Kaseya and I'm a cofounder in a startup. Forgive me if we post or ask questions that have already been answered. I didnt see anything posted about this in the last 2 years so I thought I would ask.

We have this client were trying to convince to let us manage their network but so far they want to stay on T&M. Anyway they are having an issue because their previous IT guy setup a port forward rdp. They are getting hit by tons of failed logons. Until I can get them on another remote solution is there any way to setup an alert to hit on failed logons? Thanks in advance

Verified Answer
  • Yes, you'll use Monitor --> Event Log Alerts -->  Setup an Security Log alert for the following events -- Just use the event IDs and asterisks for the other filter columns:   The event set will look like this:

    * * 4625 * *

    * * 4740 * *



    Added tags, added suggested answer
    [edited by: Chris - Benevolent NOC Overlord at 5:57 AM (GMT -7) on Apr 23, 2018]
  • Hey DJ,

    I have created that event set i am allready using that and it working fine.I have aatched that event set file with this post you need to import it in your kaseya apply on machines.

All Replies
  • Yes, you'll use Monitor --> Event Log Alerts -->  Setup an Security Log alert for the following events -- Just use the event IDs and asterisks for the other filter columns:   The event set will look like this:

    * * 4625 * *

    * * 4740 * *



    Added tags, added suggested answer
    [edited by: Chris - Benevolent NOC Overlord at 5:57 AM (GMT -7) on Apr 23, 2018]
  • Hey DJ,

    I have created that event set i am allready using that and it working fine.I have aatched that event set file with this post you need to import it in your kaseya apply on machines.

  • Several of the clients that we took over during the past year had some kind of RDP port forward defined in their firewalls. We implemented a "get tough" policy and either changed the firewall setting or required that any client that refused to sign a hold-harmless document drawn up by our attorney. Nobody wanted to sign, so every firewall was closed to unsecured RDP port forward access. Most clients implemented an RDP gateway or rolled back to the VPN.

    This is one of the biggest vulnerabilities in any customer environment. Combine this with lax password and lockout policies and you and the client are just looking for trouble.

    Glenn

  • wow thanks for all the replies! this is great thank you all

    yea were looking to do something similar as well, were still super small and all of us still have full time jobs but we are FAR exceeding our milestones to go full time this year #stoked