New
#1
Remote Desktop auditing may not be working (no logs in event viewer?)
I have a Windows 10 Pro workstation that is connected to a domain that I'm trying to monitor remote desktop usage on. A user will work from home from time to time by connecting directly to that workstation with Remote Desktop.
Because I have enabled Remote Desktop on that workstation, I would like to monitor all Remote Desktop activity on it - all successful and unsuccessful login attempts.
Currently all I'm getting it seems is successful logins when I look in:
Event Viewer --> Application and Services Logs --> Microsoft --> Windows --> TerminalServices-RemoteConnectionManager --> Operational.
The only events I have in there are #1149 which are the successful login attempts (great - that's half of what I need), and #261 which are TCP received a connection (don't care). I tried logging in with a fake user name and password several times before checking the event log of course to see if it would show up in the log, but alas, none appeared.
I have found several articles on the web that say to make a change in the policy. So first I went to the computer's Local Group Policy Editor, and made the following change:
Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Advanced Audit Policy Configuration --> System Audit Policies - Local Group Policy Object --> Logon/Logoff --> Audit Logon.
I checked all 3 boxes:
1. Configure the following audit events
2. Success
3. Failure
Clicked OK
Then I tried logging into that workstation via Remote Desktop using a fake account/password again a couple times, then checked the TerminalServices-RemoteConnectionManager event log, and still no records of my unsuccessful attempts.
I thought maybe I need to make the same change on the domain controller group policy, so on the domain controller I made the following change in:
Default Domain Policy [myservername.mydomainname] Policy --> Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Advanced Audit Policy Configuration --> Audit Policies --> Logon/Logoff --> Audit Logon
I checked all 3 boxes:
1. Configure the following audit events
2. Success
3. Failure
Clicked OK
Then in the computer's Local Security Policy, I made the following change:
Security Settings --> Local Policies --> Security Options --> Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
Changed to 'Enabled'.
(I don't remember why I did this - I swore I saw somewhere that you had to to do this too).
So even after all of that, I tried using a fake account/password to log in to that workstation via Remote Desktop, but still no events about any unsuccessful logon attempts.
Am I missing something else here?