LTU Faculty Lounge: February 2013

Tuesday, February 26, 2013

Reporting on Failed Logons

A question was sent to me: how can we be notified if someone tries to sign onto a desktop or server with bad credentials? I really like this question because monitoring failed logins is an excellent service to offer an environment. Windows doesn't do this by default and knowing missed account logins can be very helpful. Most of the time this monitor will help you take care of an end-user who may have legitimately forgotten their password. Sometime however, it will give you a heads-up that your environment is under attack! Either way, knowing when a login attempt fails on a computer is a proper monitoring metric. Let's see how to realize this with LabTech.

Now, out of the box, a Windows system won't post to the event logs when a login fails so that's the first thing that needs to be addressed. If we look at some documentation, we can see this feature can be enabled using Group Policy. Well, that ends that - LabTech can't speak Group Policy.. right?

If that's your initial thought then you really ought to check the link just under this post. If so, you'll see that the vast majority of Group Policies can be actualized through the registry with edits (and therefore can be done by LabTech). OK, so we can easily make this change then. Well, unfortunately this security policy seems to be one of the exceptions. Look up the aforementioned path and find that 'Event Log security settings are not registry keys.' Meh.

Turns out, this can be done without Group Policy. I found a command: auditpol which lets us apply this policy to a local computer. Three lines later, we have a new LabTech Script: 'Enable Failed Logon Event Logging'. It looks like this:

1. SHELL: auditpol /set /subcategory:"logon" /success:disable /failure:enable and store the result in %shellresult%
2. IF %shellresult% = The command was successfully executed. THEN Exit Script
3. Create Informational Alert: Policy Modification Failed

OK, so now we can tell a computer to turn on failed logon auditing. How then to monitor it? The answer and the testing process are one and the same here. First, apply this policy to all the computers types you are responsible for. Next, fail a logon. Using LabTech, tell that remote computer to inventory the log files. Do you see a new entry for the failed logon? Right-click, create remote monitor. Done and done.

About

WHO IS LABTECHROB? My name is Robert Siegmund and I'm a trainer working for LabTech Software. I've been with the company since its inception in February 2008 and in that time, have worked various roles including sales, support and operations. Before working for LabTech my roles have been equally various; I've been a single-proprietor IT support consultant, a tech in small and medium sized IT Support companies and a network developer and part of the team that provided the last level of IT support for a Fortune 500 where we were ultimately responsible for managing over 11,000 machines.

While my official role is currently trainier, you'll find my face in community, my code on your server and my philosophy in LabTech's best practices. It is my goal to share my experience as a LabTech employee running these roles in the hopes this will help build and strengthen your MSP business. My premise is simple: supply only the technology you can deliver with certainty and excellence, make sure it scales while remaining configurable and lock down those workstations! Combine this approach with a marketing team that sells a 'boring workstation' (it does today what it did yesterday) and you will have a product which can be sold anywhere there's an Internet connection and one that can undercut any existing competition.

This blog will explore the business and technological aspects of providing MSP services as well as an occasional snark at anything that particularly annoys me. As this blog is an unofficial blog and is not to be legally associated with LabTech Software, the company, PLEASE DO NOT TAKE ANYTHING WRITTEN ON THIS BLOG AS OFFICAL LABTECH POLICY, PUBLIC STATEMENT OR OTHER! I'm just a guy who happens to work there, writing his thoughts on teh internets.

WHAT IS LABTECH SOFTWARE? LabTech Software makes the best bedrock on which to base your MSP Service Providership upon. Bar none. Please refer to http://www.labtechsoftware.com/ for more information.

GOT COMMENTS? Send a note to LabTechRob@gmail.com.

Tuesday, February 26, 2013

Reporting on Failed Logons

Thursday, February 14, 2013

Best link ever