Re: IP Logging in the Security Event log

From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 11/04/02 

From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com>
Date: Mon, 4 Nov 2002 13:11:19 -0800

The auditing system was designed ~1990-1991, and IP addresses were not even
on the radar screen at that time.

There was some customer demand for this even in the Win2k time frame but for
various reasons we could not and did not attempt to make that change for
Windows 2000.

We added IP address to logon audits in Windows .NET Server, and we're going
to attempt to back-port this to Service Pack 5 for Windows 2000 (not SP4).

Eric
Program Manager, Windows Auditing and Intrusion Detection

"Robert Minneman" <robertminneman@earthlink.net> wrote in message
news:5c7001c28426$4174ea00$36ef2ecf@tkmsftngxa12...
> Ok someone explain to me WHY Windows 2000 does not log the
> IP for a fail login attempt?
>
> Is there any way to enable this?
>
> It seems extremely stupid to me to log the machine name,
> but not the IP.
>
> For example:
>
> Event ID: 681
>
> The logon to account: administrator
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: FAMILY-COMPUTER
> failed. The error code was: 3221225578
>
> Now, I know that on my network there is no workstation
> named "FAMILY-COMPUTER", so this is coming from the
> outside.
>
> This particular machine is in my DMZ and I'm trying to
> limit what's installed on it. So far it doesn't appear
> that I've been hacked yet, but pretty regularly the script
> kiddies are making their attempts to get into it.
>
> I'd like to have the IP so that I can setup a little
> program that scans the log, performs a WHOIS, then sends
> an email to the ISP admin that the attempted hacker is
> using to have the hacker removed from the net.
>
> Again, it seems pretty basic to log the IP instead of the
> machine name, as the machine name is going to be useless
> information
> 99.9999999999999999999999999999999999999999999% of the
> time.
>
> It's Microsoft's penchant for making their OS "out of the
> box stupid" that has kept the "we hate Microsoft" crowd so
> full of ammo as to WHY everyone should hate Microsoft.
>
> Bah, I guess I'm just frustrated, I really don't want to
> have to have yet ANOTHER log to monitor on this box.
>
> Robert Minneman
> robertminneman@earthlink.net

Relevant Pages

  • Re: Access server using PP and domain account
    ... With Windows XP using the windows authentication isn't strictly the credentials you use to login to the workstation. ... user account is setup on domain in which project server resides ...
    (microsoft.public.project.pro_and_server)
  • Printer driver-related network delays
    ... I've got a Windows XP LAN comprised of several workstations and printers. ... Every time someone on a workstation tries to print to a network printer from ...
    (microsoft.public.windowsxp.print_fax)
  • RE: Spoolss.exe using lots of CPU on NT clients of Windows 2003 Server
    ... As the Windows NT is not a fully compatible client on SBS domain, ... Windows Server 2003 Domain ... driver for Windows NT on one NT workstation to test. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems printing older DOS program in Windows XP
    ... The other consideration might be whether it is possible that the server ... You do not say whether when this issue arises, the workstation can ... I am having a problem printing in Windows XP workstations from an older DOS ... all jobs are dumped to the printer as Windows exits and the jobs print. ...
    (comp.periphs.printers)
  • RE: SBS Client Connection Problem
    ... I understand that you encountered a Windows ... XP Pro SP2 workstation cannot access SQL Server when the workstation have ... What's the exact problem symptom of the problematic workstation cannot ...
    (microsoft.public.windows.server.sbs)