Here are a few event IDs to look for:
4625 – classic failed logon attempt
5156 – means your computer permitted the connection (look at your firewall to see if you’re allowing inbound connections from IP ranges you really don’t need to allow – more on that below)
A good way to know what your Windows machine’s firewall is allowing inbound is to do this:
Server Manager > Configuration > Windows Firewall with Advanced Security > Inbound Rules > then on the right go Filter by State > Filter by Enabled > then sort everything by the “Remote Address” column
Then, just go down the list and look for Remote Address ranges you really don’t need to allow in to your machine. Generally speaking, make everything either “Local subnet” or specific IP addresses/ranges you *know* you need to allow in to this machine. If you see “Any”, then that local port should be something like 80, 8080, 443, or something you actively want every computer on the entire intarwebs to be able to access.
No comments:
Post a Comment