Hello,

I have been recently been given the responsibility of securing our servers (and all computers in general). The prior administrator had little to no documentation on how things were done and what he has done. I want to methodically go thru the servers and see what needs to be done to make them more secure.

My background is primarily in hardware repair and network troubleshooting.

Anyway, I glanced over at a thread that Angelic Knight (sorry about the spelling) had posted and I read thru some of the things he has been going thru. I do know that we have no auditing of any failed login attempts and I would like to set that up and then, of course, see what else I need to do and tackle those things.

About the evil servers: Three win2k servers that use terminal services. We use active directory, which I have some knowledge but not enough to set up auditing properly. I did use Google (the almighty) and found some help, but it does not seem to be auditing failed (or even successful) logins. I have tried to login both remotely and locally to the server and it is not auditing.

I turned on auditing thru
Active directory -> right click on the domain and choose properties ->default domain policy ->
-- Edit -> computer configuration -> windows -> security -> local policies -> audit policy.

I turned on auditing in Audit account logon events to both failed and success
I turned on auditing in Audit logon events to both failed and success.

I then check event viewer after I try to logon with a valid account and bad password and valid account and good password and no events posted.

I searched around Google some more and found a reference to the msc on the server called
gpedit.msc. When I go in there to the same place I see that there are three columns for each event. The first column is the policy, the 2nd is Local and the 3rd is Effective. Local is set for Failure and Effective is set for No Auditing.

According to what I can find, the Effective is based on the domain group policy. I thought I was in the domain group policy thru the Active Directory, but this is incorrect or it would be working.

Any ideas on where to go from here? Thanks much for any help!

~Halv