Help: can Windows 2000 Server lbe configured to og IP address in the event log?

[Bill]

Windows server experts:

I know that Windows 2003 Server will log the IP of a user trying to logon with
a phony username or bad password. But, 2000 Server does not. Is there any way
to get 2000 to do this?

II am trying to identify a hacked that repeatedly tries to logon.

TIA
Bill

 

[Steven L Umbach]

As far as I know there is no way to do this. What you may want to try is to
use a personal firewall that has good logging - something like Sygate [if
you still can find it]. You could even configure the firewall to not do any
filtering but just do the logging. I the attempts are coming from outside
your network check your firewall logs and correlate firewall log entries
with the timestamps of the logon failures and of course have the firewall
and computer to be in synch time wise to make it easier.

Steve

http://www.tucows.com/preview/213160

 

[Bill]

Thanks for the response. I'm curious why a little chuck of code (to add the
connecting IP to the log) wasn't passed along in Windows 2000 Server update by
Microsoft.

As far as I know there is no way to do this. What you may want to try is to
use a personal firewall that has good logging - something like Sygate [if
you still can find it]. You could even configure the firewall to not do any
filtering but just do the logging. I the attempts are coming from outside
your network check your firewall logs and correlate firewall log entries
with the timestamps of the logon failures and of course have the firewall
and computer to be in synch time wise to make it easier.

Steve

http://www.tucows.com/preview/213160

Windows server experts:

I know that Windows 2003 Server will log the IP of a user trying to logon
with
a phony username or bad password. But, 2000 Server does not. Is there any
way
to get 2000 to do this?

II am trying to identify a hacked that repeatedly tries to logon.

TIA
Bill

 

[Ozone]

One thing you can do is use PortReporter to see all of the activity
that occurs on your NIC. The log formats are somewhat hard to read,
but there is a PR Parser tool that provides a GUI to viewing the
data. This is by far the best way to get IP addresses...

HTH
Ozone

Thanks for the response. I'm curious why a little chuck of code (to add the
connecting IP to the log) wasn't passed along in Windows 2000 Server update by
Microsoft.

As far as I know there is no way to do this. What you may want to try is to
use a personal firewall that has good logging - something like Sygate [if
you still can find it]. You could even configure the firewall to not do any
filtering but just do the logging. I the attempts are coming from outside
your network check your firewall logs and correlate firewall log entries
with the timestamps of the logon failures and of course have the firewall
and computer to be in synch time wise to make it easier.

Steve

http://www.tucows.com/preview/213160

Windows server experts:
I know that Windows 2003 Server will log the IP of a user trying to logon
with
a phony username or bad password. But, 2000 Server does not. Is there any
way
to get 2000 to do this?
II am trying to identify a hacked that repeatedly tries to logon.
TIA
Bill

 

[Bill]

Excellent! I will try that tomorrow. Thanks.

One thing you can do is use PortReporter to see all of the activity
that occurs on your NIC. The log formats are somewhat hard to read,
but there is a PR Parser tool that provides a GUI to viewing the
data. This is by far the best way to get IP addresses...

HTH
Ozone

Thanks for the response. I'm curious why a little chuck of code (to add the
connecting IP to the log) wasn't passed along in Windows 2000 Server update by
Microsoft.

As far as I know there is no way to do this. What you may want to try is to
use a personal firewall that has good logging - something like Sygate [if
you still can find it]. You could even configure the firewall to not do any
filtering but just do the logging. I the attempts are coming from outside
your network check your firewall logs and correlate firewall log entries
with the timestamps of the logon failures and of course have the firewall
and computer to be in synch time wise to make it easier.

Steve

http://www.tucows.com/preview/213160

news:[email protected]...

Windows server experts:

I know that Windows 2003 Server will log the IP of a user trying to logon
with
a phony username or bad password. But, 2000 Server does not. Is there any
way
to get 2000 to do this?

II am trying to identify a hacked that repeatedly tries to logon.

TIA
Bill