Regarding Event ID 1012: "Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated." Is there a way to configure Windows 2003 Standard to include the offending IP address in the System Event Log when events like the above are raised (as is done by Windows 2008)?

Hi, As far as I know, there is no way to change and display the IP address in Event Viewer. Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Arthur but sadly not the answer I was looking for. Put another way: what can be done on a standalone server running Windows 2003 Server Standard to guard against unauthorized intrusion over Remote Desktop. Presumably something can be done at the firewall level to ignore offending IP addresses, once the addresses are known.

Hi, You may try to run Network Monitor to trace and find out the IP address of the computer. For more information, please refer to the following Microsoft articles: How to capture network traffic with Network Monitor http://support.microsoft.com/kb/148942 Analyzing Network Data with Network Monitor http://technet.microsoft.com/en-us/library/cc723623.aspx In addition, you may also consider to use Threat Management Gateway (TMG) to block the attacks. For more information regarding TMG, please refer to the following link: http://www.microsoft.com/en-us/server-cloud/forefront/threat-management-gateway.aspx Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Arthur, but I am not in a position to apply any of your suggested solutions – even if I fully understood them. I was hoping for a simpler solution within the scope of Windows 2003 Standard Server. Notice it is possible to audit login failures in Windows 2003 via Local Polices: http://technet.microsoft.com/en-us/library/cc787567(WS.10).aspx. This records the offending IP address under Event ID: 529 (TerminalServices-Gateway) for all invalid password logon attempts via Remote Desk Top or HTTP. But testing shows it does not record Event ID: 1012 (RemoteApp-and-Desktop-Connections). So in this context knowing the difference between TerminalServices-Gateway and RemoteApp-and-Desktop-Connections may point the way to a solution.

I agree it's a bit ridiculous. It's like a burglar trying your door handle, and the security guard doesn't even attempt to identify the burglar. "Hey, someone trying to beat down the door, guess I'm glad the door is holding!" Microsoft always seems to decades behind certain must have facilities when it comes to the Internet.

Dude, just go to the security section of the event viewer. It will show the ip. Peace

Thanks to eUK-Martin at eUKhost who has devised a quasi-firewall solution (QaaSWall) along these lines: (a) Detects IP addresses by monitoring the output of the ‘netstat –an ‘ commands (b) Blocks offending IP addresses using IPSec facilities You can download QaaSWall and its source scripts from: http://sourceforge.net/projects/qaaswall-window/files/v1.0.3_Source_x86.zip QaaSWall copes if an attacker continually tries to connect to the same port on the server; but, whether it manages when a short delay is inserted between each connection attempt is open to question. QaasWall operates behind standard Windows Firewall which can be left ON. Note to BlazinAngel: thanks dude, but please read the question – the youth of today, sigh…

hello, did anyone out there figure this one out? i am getting the same error on two of my servers. on the first i change the RDP listening port and the error stopped showing up. not it is showing on my other server. any advice will be appreciated

Open event viewer (Windows 2008 Server) and go to "Security" and look for "Audit Failure" with a little closed lock next to it with a "Task Category" named "Logon". In the General tab scroll down and you will see something like this: Network Information: Workstation Name: Source Network Address: Source Port: That is the PC/Server trying to connect and login to the machine using RDP. Easy way to fix this is to limit the IP address that can connect to your RDP port. You can use Windows Firewall to accomplish this! Simply set the Inbound Scope for the RDP 3389 to your IP address(s) or IP Range that you use to connect to the server. Be careful if you have a dynamic IP address that changes often. You may just block yourself!

Hey guys you can setup an audit policy on your server as shown below and it will tell you the IP address and user name being used to access your server in the security log.