Search Our Database

Introduction

Monitoring failed RDP login attempts is crucial for maintaining server security and identifying unauthorized access attempts. Windows Server keeps detailed logs of these events, which you can review using the built-in Event Viewer tool. This guide walks you through locating and interpreting these logs.

Prerequisites

• Administrator access to the Windows Server
• Auditing enabled for logon events (enabled by default)
• Access to the Event Viewer utility

Step-by-Step Guide

Step 1: Open Event Viewer

Step 1: Open Event Viewer

1. Press 🪟 Win + R to open the Run dialog box.
2. Type eventvwr.msc  and press Enter.

Step 2: Navigate to Security Logs

1. In the left pane, expand  Windows Logs and select Security.
   

Step 3: Filter for Failed RDP Logins

1. In the right-hand Actions pane, click Filter Current Log.
2. Enter 4625 in the Event ID field to show failed login attempts.
3. Click OK.

Step 4: Interpret the Log Details

1. Double-click an Event ID 4625 entry.
2. Review these key fields:
   • Account Name: Username used during the attempt
   • Source Network Address: IP address of the remote system
   • Failure Reason: Reason for the failure
     

Conclusion

By following the steps above, you can effectively track and investigate failed RDP login attempts on your Windows Server. Regular monitoring helps enhance security and detect potential unauthorized access.

For further assistance, please contact our support team at support@ipserverone.com.