Event Logging IPAddress does not always resolve

Question

I am hooking the Security event log with System.Diagnostics.Eventing.Reader.EventLogWatcher class, and I am watching Event ID 4625 on a 2008 server box, for incoming failed logi

Answer 1

I finally got this working. This was happening because there were two authentication methods being used for RDP connections: NTLM and User32. I changed GPO settings to kill the foreign NTLM connections.

These are the GPO settings I set that did the magic. Please note that this is a Server 2008 R2 box.

Required
Computer Configuration\Windows Settings\Security Settings\Security Options

Network security: LAN Manager authentication level -- Send NTLMv2 response only. Refuse LM & NTLM
Network security: Restrict NTLM: Audit Incoming NTLM Traffic -- Enable auditing for all accounts
Network security: Restrict NTLM: Incoming NTLM traffic -- Deny all accounts

Recommended
Do not allow for passwords to be saved -- Enabled
Prompt for credentials on the client computer -- Enabled

I changed some other security-related keys, too, but these should be the core ones. Forcing incoming network traffic away from using NTLM allows every single 4625 event to contain the IP Address of the failed computer, as they are force to use User32 logon.

Let me know if this seems totally insecure or there might be a better way to do this, but this allows proper counting and logged of failed attempts while retaining a level of encryption for the connection.