Use this Knowledge Script to monitor the number of failed non-interactive logon attempts to the server since the last interval. The result is always zero for the first interval so that the script can establish a baseline for subsequent checks.
For example, this script raises an event if you run this script on a computer and unsuccessfully attempt to log onto that computer using the net use command. This script does not raise an event for a failed interactive logon attempt, even a failed interactive login attempt from a remote desktop.
Use this script to determine whether password guessing programs are being used on the server. If you use this script to monitor events, the script raises an event for each failed logon attempt. If you choose to collect data, the script reports the total number of logon failures.
Windows 2003 Server or later
The default schedule for this script is Every hour.
Set the following parameters as needed:
|
Description |
How to Set It |
|---|---|
|
Raise event? |
Set to y to raise an event if the number of failed logon attempts exceeds the threshold. The default is y. |
|
Collect data? |
Set to y to collect data for charts and reports. If enabled, data collection returns the total number of logon failures. The default is n. |
|
Failed logon threshold |
Specify the maximum number of failed logon attempts allowed before an event is raised. The default is 0. If you are seeing too many insignificant events from users entering passwords incorrectly, determine a “typical” logon failure pattern (for example 5 per 24 hours) and set this parameter accordingly. |
|
Event severity level |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which the number of failed logon attempts exceeds the threshold. The default is 5 (red event indicator). |