Event Logging IPAddress does not always resolve

Question

I am hooking the Security event log with System.Diagnostics.Eventing.Reader.EventLogWatcher class, and I am watching Event ID 4625 on a 2008 server box, for incoming failed logi

Answer 1

Asteroid's answer works, but you MUST enable "Allow connections from computers running any version of Remote Desktop (less secure)" instead of "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)".

NLA does not use User32, but uses NtLmSsp which relies on LM responses. If that's blocked (as the instructions above will do), you'll end up with ye olde "The Local Security Authority cannot be contacted."

Answer 2

I finally got this working. This was happening because there were two authentication methods being used for RDP connections: NTLM and User32. I changed GPO settings to kill the foreign NTLM connections.

These are the GPO settings I set that did the magic. Please note that this is a Server 2008 R2 box.

Required
Computer Configuration\Windows Settings\Security Settings\Security Options

Network security: LAN Manager authentication level -- Send NTLMv2 response only. Refuse LM & NTLM
Network security: Restrict NTLM: Audit Incoming NTLM Traffic -- Enable auditing for all accounts
Network security: Restrict NTLM: Incoming NTLM traffic -- Deny all accounts

Recommended
Do not allow for passwords to be saved -- Enabled
Prompt for credentials on the client computer -- Enabled

I changed some other security-related keys, too, but these should be the core ones. Forcing incoming network traffic away from using NTLM allows every single 4625 event to contain the IP Address of the failed computer, as they are force to use User32 logon.

Let me know if this seems totally insecure or there might be a better way to do this, but this allows proper counting and logged of failed attempts while retaining a level of encryption for the connection.