No announcement yet.

monitor attempted / failed logins to W2k3 SBS

  • Filter
  • Time
  • Show
Clear All
new posts

  • monitor attempted / failed logins to W2k3 SBS

    Is there a way to track attempted logins to a W2k3 SBS server? Someone recently compromised our server and has encrypted some information (presumably his records or files) with EFS.

    We have since restored a clean backup and reset all the admin passwords. However, I'm not sure that he knows that we have taken back the server. As I understand it, the easiest way to decrypt files that are stored in EFS is to have the original password used by the account that encrypted the files.

    For this reason, I'd like to record attempted or failed logins to the server. I assume that this guy will try and log in again, and if I can record his password when he tries to login, I should be able to use that password to decypt the files he left on our server.

    On a regular XP box, I would lean towards using a keylogger or something similar, but they tend to be picked up by AV software, and i'd be wary of disabling AV on the server. Any suggestions? Is there a way to do this "out of the box"? Or am I best off just getting a keylogger. If so -- can you recommend one?