Remote Desktop- Any logging?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was used
to establish a connection.
 
I have auditing turned on and see type 528 but no 10's when I connect
remotely? where do I find the firewall logs?

Steven L Umbach said:
There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.


Sam said:
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.
Click to expand...
Click to expand...
 
I see where the 10 comes in.

Steven L Umbach said:
There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.


Sam said:
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.
Click to expand...
Click to expand...
 
found the firewall log too. Guess it is not there by default.

Steven L Umbach said:
There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.


Sam said:
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.
Click to expand...
Click to expand...
 
There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.
 
Correct. I should have mentioned that you need to enable logging of the
Windows Firewall first. If the Windows Firewall does not show the needed
info you may want to try a third party software firewall. Sygate used to
excel at logging but I don't believe it is around anymore though you may
still find places to download it.

Steve


Sam said:
found the firewall log too. Guess it is not there by default.

Steven L Umbach said:
There should be an entry in the security log available via Event Viewer
if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type
10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon
events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon
type
10 and terminal services logons are reported as logon type 2.


Sam said:
Are there any logs created on the host machine showing when someone
made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.
Click to expand...
Click to expand...
Click to expand...
 
I don't see one either - what is the problem specifically?

Taking a guess based on the Subject, check the Windows XP Security Event
Viewer Log. An Audit Policy may be configured using the Group Policy editor
to track logon success and failures:
From the Start | Run command window type gpedit.msc.
Navigate to Local Computer Policy | Computer Configuration | Windows
Settings | Security Settings | Local Policies | Audit Policy | Audit logon
events.
Highlight and right-click and select properties.
Configure as desired.

Note that logging in without a password is logged as a failure. This results
in the security log filling up very fast if you log failures and have a user
without a password. The result is you can not login normally. Also note, not
having a password is a potential and probable security risk.

The event log can be viewed by going to Start | Control Panel | Performance
and Maintenance | Administrative Tools and click on Event Viewer.

The Event Log (Security) noting a successful logon and logoff by a remote
user. The user can highlight a log entry and right-click to view the event
Properties for detailed information.

Look in the Security Event Log for a Logon/Logoff Event 528 and Logon Type
10.

The free Microsoft Port Reporter tool provides for additional logging.
Description of the Port Reporter Parser (PR-Parser) tool
http://support.microsoft.com/default.aspx?scid=kb;en-us;884289

Availability and description of the Port Reporter tool
http://support.microsoft.com/kb/837243
 
Back
Top