Background Image

Documentation

First Time Setup

Setup Audit Logging

This must be done manually in order for LF Intrusion Detection to detect when failed RDP attempts are made.

In this example we use Windows Server 2012 R2

1. Launch Local Security Policy

Go to the Start Menu and type 'Local Security Policy' and launch the Local Security Policy

Or, you may launch it by the Run command of "secpol.msc"

Launch Local Security Policy Screenshot

2. Navigate to Audit Policy

Navigate on the left panel of the local security policy to the Audit Policy section.

Security Settings > Local Policies > Audit Policy Screen shot of Local Security Policy Navigation window

3. Enable on Failure Audit

Now open the policy for "Audit logon events"

Enable/Tick the option for "Failure" and click OK

Now open the policy for "Audit account logon events"

Enable/Tick the option for "Failure" and click OK

Screen shot of the polices to change

4. Done

The software should be detecting all RDP login failures now, though a reboot may be required.