I have a system where by IIS logs strange requests in IIS in a simple SQL database with the IP. If a number of events occur based on some simple patterns it creates an IP SEC rule to block the IP for a period of time. This is easy for IIS as .Net server errors can be trapped and the IP / event dumped into SQL. I want to add to this windows events such as failed logon to remote desktop, FTP, SQL Server, etc I can see logon failures in the security event log but not always the IP and I'm not sure how to access this inforamation efficiently. ANy suggestions?

Hello, I think it will be better to ask here: http://forums.iis.net/ This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator

this is non IIS related. I have solved the issue for IIS I want to add other windows events to my logging.

Dain, Don't I dont understand fully what you are trying to achive, with your local and domain policies updated to reflect best practices around security, you can modify them to handle user accounts/password experations/logon attempts/etc... and see them in the windows security logs. Now on the surface, if say I come in monday after a weekend of bbq and beer and no morning coffee, I attempt to logon to my machine and munge the password because I can barely tie my shoes... so you want the user to be automatically locked out of the machine via blokcing that ip? Or if I am a customer to your website and by your settings you automatically block me from logging in because I fat finger the password once? That seems a little overkill, there are settings in the local and domain polcies which you can lower the logon tries to 1 if you wish. If you want more of a reporting feature on failed logon events, I would look into event log tools, or security audit tools.

The guy you're describing wouldn't be allowed in the front doors let alone to a terminal ; ) I want to be able to audit, monitor and report on this hence the need for SQL server. I also have a bit more "intelligence" around it than you got it wrong 5 times so you are out although I do have these as well. does the username actually exist. does that userame have rights for the service are you using banned userames : "Administrator", "Admin", "sysadmin", etc number of failed attempts and with how many usernames What country you are from. when did you last succesfully log and from where are you a trusted or safe IP have you just tweeted a derogatory comment about your employer (just kidding) etc based on this the background process creates a "policy" record in the DB and an IPSEC rule. If the policy rule says it is a temporary block the IPSEC rule is undone later automatically, however some blocks are flagged for attention and others just outright blocked. I'm running dedicated and VPS servers in datacentres where I have little or no control over security, etc other than what comes out the box with windows.