How to log RDP Terminal Services connections

[Guest]

I would like to log all connection attempts (success or failure) to RDP /
terminal services (WinXP Pro SP2). Is there a way to get them into the event
log or some other file?

 

[Steven L Umbach]

On the computer that users are trying to connect to enable auditing of logon
events [which may already be done] in Local Security Policy to the domain
level GP managing such. RDP logons would be recorded as type 10 logon
events. You can use the free Event Comb from Microsoft to parse security
logs for specific Event IDs and text strings. --- Steve

http://www.windowsecurity.com/articles/Logon-Types.html

Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.

 

[Guest]

Thanks. One issue I have had with auditing logon events: I have a scheduled
task every 30 min that clutters the event log (with type 4, I know now,
thanks to your link). Also, the logon event log apparently does not log
connection info, e.g. source IP, and only logs logon failures/successes, not
connections with no logon attempt. I suppose I need to coax my (3rd-party)
firewall software to log the connection. The information I would like to see
would be similar to what OpenSSH sshd logs with the the VERBOSE option.

On the computer that users are trying to connect to enable auditing of logon
events [which may already be done] in Local Security Policy to the domain
level GP managing such. RDP logons would be recorded as type 10 logon
events. You can use the free Event Comb from Microsoft to parse security
logs for specific Event IDs and text strings. --- Steve

http://www.windowsecurity.com/articles/Logon-Types.html

Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.

I would like to log all connection attempts (success or failure) to RDP /
terminal services (WinXP Pro SP2). Is there a way to get them into the
event
log or some other file?

 

[Steven L Umbach]

A connection from the local network should show a computer name from your
network but other then that you could try as you suggest to monitor traffic
to port 3389 TCP into your network or computer via firewall logs. ---
Steve

Thanks. One issue I have had with auditing logon events: I have a
scheduled
task every 30 min that clutters the event log (with type 4, I know now,
thanks to your link). Also, the logon event log apparently does not log
connection info, e.g. source IP, and only logs logon failures/successes,
not
connections with no logon attempt. I suppose I need to coax my
(3rd-party)
firewall software to log the connection. The information I would like to
see
would be similar to what OpenSSH sshd logs with the the VERBOSE option.

On the computer that users are trying to connect to enable auditing of
logon
events [which may already be done] in Local Security Policy to the domain
level GP managing such. RDP logons would be recorded as type 10 logon
events. You can use the free Event Comb from Microsoft to parse security
logs for specific Event IDs and text strings. --- Steve

http://www.windowsecurity.com/articles/Logon-Types.html

Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon
type
10 and terminal services logons are reported as logon type 2.

I would like to log all connection attempts (success or failure) to RDP
/
terminal services (WinXP Pro SP2). Is there a way to get them into the
event
log or some other file?