Wednesday, 25 February 2009

SBS 2008 – Get An E-mail On Failed Logon

One of the new features we inherit via Windows Server 2008 is the newly revamped Event Logs. We now have the ability to monitor pretty much anything happening on the server.

For those of us that manage SBS 2003 networks, we only knew when something was happening with a user account when we would receive an e-mail indicating that a user account had been locked out. No indication was given as to which account and when! We needed to filter through the Security log or the user would be calling for a reset of their account.

Now, we can actually have an e-mail happen from the SBS server that tells us that a failed logon attempt has happened, each time an attempt has made and in “real time” (depending on Outlook’s Send/Receive settings).

09-02-25 SBS 2008 - Failed Logon Attempt E-Mail

SBS 2008 E-Mail – Failed Logon Attempt

If there are hundreds of these e-mails filling the Server Monitoring folder for that client’s server, then obviously there is a priority problem that needs to be addressed right away!

The e-mail may be not too clear on the who or what, but we don’t have far to go to find those particulars out.

Log onto the SBS server and have a look at our Custom View in the Event logs and here is what we find:

09-02-25 SBS 2008 - Failed Logon Attempt - RWW

Event 4625: An account failed to log on - RWW.

And:

09-02-25 SBS 2008 - Failed Logon Attempt - Server

Event 4625: An account failed to log on – Server.

We get a lot more information on where the attempt was made from and to what service.

One of the benefits that comes with being made aware of failed logon attempts is getting to know when our client’s password refreshes are happening along with which users tend to miss their logons after that refresh.

The XML code for the above Custom View can be found on CodePlex: SBS Code Plex: Custom Filter for Failed Logon @ Server.

On the SBS 2008 server, install the above code into the Event Viewer from within the SBS Native Tools Management console:

  1. Right click on the Event Viewer and click on Create Custom View.
  2. Click on the XML tab.
  3. Click the Edit query manually radio button.
  4. Answer Yes to the warning.
  5. Copy the XML code out of the downloaded file.
  6. CTRL+V to paste it into the XML editor for the Create Custom View window.
  7. Click OK.
  8. Name the filter: SBS Failed Logons.
  9. You can choose a folder or create one to store your Custom Views.
  10. Click OK.
  11. Right click on the new filter and "Attach Task To This Custom View..." to have the event generate an e-mail.

Note that the XML code has been customized for the Event Viewer to pick up on both failed logon attempts via a server service and at the server console if the console was either free or locked. Thus, the code will not work for firing an event in the SBS Console under Other Alerts.

To get Event 4625 events to register in the SBS Console under Other Alerts, get the code SBS Code Plex: Alert for Logon Failure, and install it.

Just in case:

  1. Copy the LogonFailureAlert.XML file into the %programfiles%\Windows Small Business Server\Data\Monitoring\ExternalAlerts folder.
  2. Restart the Windows SBS Manager service in the SBS Native Tools Management console.
  3. Attempt a logon with bad credentials.
  4. SBS Manager cycles every 30 minutes, so the alert will show up at some point over the next 30 minutes. A force Refresh may make it show up.

We now have two ways to find out what is happening with logon attempts on the server. A quick visual glance via the SBS Console as well as via e-mail and the server’s Event logs.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac!

Windows Live Writer

2 comments:

  1. Once you see the alert how do you clear the critical status from the "Other Alerts" section?

    ReplyDelete
  2. Please, ignore my previous post. I just had to wait for a while longer and the critical status cleared.
    Cheers!

    ReplyDelete

NOTE: All comments are moderated.