Audit logging is part of the microsoft operating system and writes entries in the windows security protocol. By activating logging events it is possible to see which users try to access to your computer. To enable audit logging do following steps:
You find the Startbutton in the left bottom corner
2. Click Run
A mask appears where you are able to type something in a text box.
3. Start the local security policies
Type in secpol.msc in the textbox and click OK.
4. Select Local Policies
After the management console has started expand the local policies by clicking on the +
5. Choose Audit Policy
By clicking on this treeview item you are able to choose between a few options on the right screen.
6. Activate Audit logon events
Doubleclick on the Audit logon event on the right screen and activate the failure-checkbox. This means, that on every failed login attempt the system generates a security entry in the event log.
See more informations here: http://technet.microsoft.com/en-us/library/cc976395.aspx
The RDP Guard need a service to block all attacks. The Service is called
IPBlockControlerService. Please ensure, that the service has the permissions to configurate IPSEC.
Local Service is the default account and should work fine!
IPSec is a protokoll that encrypt connections between computers. It is installed on all windows servers by default. Your RDP Guard use this technology to block IP-addresses.
To detect attacks, it is necessary, that Windows logs all failed logon attempts in the windows event log. If you install the rdp guard, you have the option to enable audit logon in the local policies.
If you've defined to log audit login in the domain policies this option is not needed.