Activate security auditing to log unsuccessful logon attempts

It is possible to log unsuccessful logins to your machine, to detect if someone is trying to access your machine.

To do this:

  1. Start the Local Security Policies snapin
  2. In the tree-view go to “Local Policies” -> “Audit Policy”
  3. For minimum logging select to audit failure in “Account Logon Events”, “Directory Service Access” and “Logon Events”

Note audits can also be useful when trying to figure out what keeps an application from working when started with user-privileges. The audits can show the failures that occurs when the application tries to access the needed folders and registry-entries. One can then change the Access Control List (ACL) for these resources, so access is granted when having user-privileges.

More info MS KB300549
More info MS KB310399
More info MS KB315416
More info MS KB324739