2) Using Group Policy Editor And Event Viewer In Windows 10
If you intend to connect to your Windows 10 computer from over the Internet with either RDP or SSH it is a good idea to know how to use Event Viewer. In event viewer you can see who has/is connected to your computer, and you can also see failed logon attempts. You won’t be able to always see an IP for failed attempts, but often enough you can see the specific user name that was used in the failed attempt, and quite often for port 3389 (RDP) if you have managed to attract a Bot it will commonly be administrator or some form like admin1, adminlocal, adminw10, etc. This is why I recommend changing the default administrator account to something nonsensical and obscure. Open Event Viewer in Windows 10. See image below:
When Event Viewer opens toggle it to full screen and click the > symbol to expand the Windows Logs menu. Click on Security and the security audit logs will load. See image below:
Event IDs are numbered and failed user logon attempts would be 4625. I’ve clicked on 4798 to show my SSH server account is available and started by the system. See the image below:
See the link below for a comprehensive list of Event ID numbers:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
You are probably not seeing any failed user logon attempts because Windows 10 does not configure auditing failed attempts by default. If you are running Windows 10 Professional or Enterprise you can use Group Policy Editor to configure Event Viewer to audit failed user logon attempts. Hit the Windows key on your keyboard and type gpedit.msc Click on it and your Group Policy Editor will open. See image below:
Under Local Computer Policy expand the file tree in the left pane >Computer Configuration >Windows Settings >Security Settings >Local Policies >Audit Policy and click on Audit logon events in the right hand pane. See image below:
When the Window below opens check both boxes next to Success and Failure. Click OK and Event Viewer will now display failed logon attempts. See image below:
If your system is Windows 10 Home you will discover that Group Policy Editor is not bundled with your software. Originally Windows 10 Home base versions did not come with Group Policy Editor, Remote Desktop Protocol, or SSH available. It is possible to be on build 1803 and not have these options available to you if you followed the original free upgrade path from Windows 7 or 8 Home versions. Not to worry.
Windows 10 has Deployment Image Servicing and Management CLI capability; which means with DISM commands you can still install Group Policy Editor to your Windows 10 Home base system for free if you are running a legal system. See the link below for a technical summary:
To install Group Policy Editor to your Windows 10 Home system make sure you are connected to the Internet and copy/paste or type the code below exactly how it is written into the Windows CLI with an elevated prompt and hit Enter, and it will install. Restart your computer and open Group Policy Editor as shown above. See code below:
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~*.mum") DO (
DISM /Online /NoRestart /Add-Package:"%F"
)
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~*.mum") DO (
DISM /Online /NoRestart /Add-Package:"%F"
)
It will take a few minutes so be patient. Below is an image of the CLI in action as it installs.
The Open Source Community also provides an alternative package to Group Policy Editor which users of Windows 10 Home seem to have had good luck with. You can download from the link below:
https://www.techspot.com/downloads/7112-policy-plus.html
I have not personally tested this application so I cannot vouch for its performance, however it seems to be kept up to date.