- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-28-2018 05:12 AM
Hi all,
we've noticed our admin accounts have been locked several times today due to consecutive failed login attempts to our VM-s.
Most likely, these would have gone through the PA firewall.
I wonder what would be the way to filter huge log, other than destination address?
Would the app id be ms-rdp? Or something newer for Windows 2012 Server and Windows 2016 Server?
Thanks,
Alex
02-28-2018 07:10 AM
Hello,
There are many ways to connect to a server. MS-RDP is one if they are trying to remote in, if its just MMC connection, then maybe something like ms-ds-smb, ms-netlogon, active-directory, kerberos, etc.
I would say filter your unified logs with the source and destination IP's and see what apps are being used. Usually weird lockouts are caused by phones or tablets, not sure if you allow those accounts via those devices. Other things I have seen cause this are mapped drives after password changes, scheduled tasks, etc.
Good luck!
03-21-2018 04:07 PM
Hi Otakar,
thanks for the advice,
we took it and it did narrow down our results to something we could analyse easier...
03-22-2018 08:38 AM
Hello,
Here are the apps I use for my RDP policies:
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!