This section includes information on the following:
Intruder Detection Lock audit event is logged when an intruder is detected after successive authentication failures and the device stops accepting remote session requests. This is possible when a remote operator enters the wrong credentials several times during a remote session and if those invalid attempts cross the limit specified in the Remote Management Policy settings.
Log in to ZENworks Control Center on a server that has Windows devices.
Click Configuration > Audit Management > Events Configuration.
In the Events Configuration page, click Agent Events > Add.
In the Add Agent Events dialog box, select the Intruder Detection Lock check box under Remote Management > Intruder Detection.
Configure the event settings such as Event classification, Days to keep, Notification Types, and so forth, for the Intruder Detection Lock event, then click Apply.
Click OK to add the Intruder Detection Lock event and close the Add Agent Events dialog box.
Apply a remote management policy that enables Persistent password mode and set the password. Set the value of Intruder Detection Lock to Suspend accepting connections after 2 successive invalid attempts.
In ZENworks Control Center, click Devices > Workstations.
Select a Windows device and click Remote Control in password mode, to remotely manage that device.
Enter a wrong password when prompted. This invalid attempt logs an Authentication Failure event and then the password is requested again. Enter a wrong password for the second time.
Based on the settings configured for Intruder Detection in the security settings of the remote management policy, the device is locked for remote management operations and the Intruder Detection Lock audit event is logged.
After the specified time in Audit Settings, the generated Intruder Detection Lock event is uploaded to the server and displayed in ZENworks Control Center. You can view the Intruder Detect Lock audit events logged on a device and also on a zone.
The Intruder Detection Reset audit event is logged when you unblock a device to accept remote session requests. You can trigger this event by quick task, local user or policy settings which is logged as initiator.
Log in to ZENworks Control Center on a server that has Windows devices.
Click Configuration > Audit Management > Events Configuration.
In the Events Configuration page, Click the Agent Events tab >Add.
In the Add Agent Events dialog box, select the Intruder Detection Reset check box under Remote Management > Intruder Detection.
Configure the event settings such as Event classification, Days to keep, Notification Types, and so forth, for the Intruder Detection Reset event, then click Apply.
Click OK to add the Intruder Detection Reset event and close the Add Agent Events dialog box.
Perform the steps listed for Generating an Intruder Detection Lock Audit Event.
To perform remote operations again on the device that is locked, unlock the device by using one of the following options:
In ZENworks Control Center, select the device > click Unblock Remote Management quick task. If the Intruder Detection Rest is performed through quick task, the information about ZENworks administrator who initiated the quick task is not recorded in the audit log.
Or
Increase the value of Suspend accepting connections after X successive invalid attempts in the Remote Management Policy settings.
Or
Perform the remote management operation only after the time specified in Automatically start accepting connections after Y minutes under Intruder Detection is over in the Remote Management Policy Settings
Or
On the Z-Icon page of the managed device,
Click Remote Management > click Security, then click Enable accepting connections if currently blocked due to intruder detection.
Click Ok in the pop-up that displays The device is enabled to accept remote management connections.
After unlocking the device if you perform remote operations through one of the above listed methods, the device starts accepting connections and the Intruder Detection Reset audit event is logged.