If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Remote Desktop- Any logging?
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was used to establish a connection. |
Ads |
#2
|
|||
|
|||
Remote Desktop- Any logging?
I have auditing turned on and see type 528 but no 10's when I connect
remotely? where do I find the firewall logs? "Steven L Umbach" wrote: There should be an entry in the security log available via Event Viewer if auditing of logon events is enabled which it may be by default. Look for type 10 logon events. However you may need see the IP address but instead the name of the computer. Firewall logs [hardware or host] may help track down the IP of the computer if you match the logs to the time of the type 10 logon event. Steve http://www.windowsecurity.com/articles/Logon-Types.html --- logon events explained Logon Type 10 - RemoteInteractive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn't use logon type 10 and terminal services logons are reported as logon type 2. "Sam" wrote in message ... Are there any logs created on the host machine showing when someone made a RDP connection. I would like to know what user and what IP address was used to establish a connection. |
#3
|
|||
|
|||
Remote Desktop- Any logging?
I see where the 10 comes in.
"Steven L Umbach" wrote: There should be an entry in the security log available via Event Viewer if auditing of logon events is enabled which it may be by default. Look for type 10 logon events. However you may need see the IP address but instead the name of the computer. Firewall logs [hardware or host] may help track down the IP of the computer if you match the logs to the time of the type 10 logon event. Steve http://www.windowsecurity.com/articles/Logon-Types.html --- logon events explained Logon Type 10 - RemoteInteractive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn't use logon type 10 and terminal services logons are reported as logon type 2. "Sam" wrote in message ... Are there any logs created on the host machine showing when someone made a RDP connection. I would like to know what user and what IP address was used to establish a connection. |
#4
|
|||
|
|||
Remote Desktop- Any logging?
found the firewall log too. Guess it is not there by default.
"Steven L Umbach" wrote: There should be an entry in the security log available via Event Viewer if auditing of logon events is enabled which it may be by default. Look for type 10 logon events. However you may need see the IP address but instead the name of the computer. Firewall logs [hardware or host] may help track down the IP of the computer if you match the logs to the time of the type 10 logon event. Steve http://www.windowsecurity.com/articles/Logon-Types.html --- logon events explained Logon Type 10 - RemoteInteractive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn't use logon type 10 and terminal services logons are reported as logon type 2. "Sam" wrote in message ... Are there any logs created on the host machine showing when someone made a RDP connection. I would like to know what user and what IP address was used to establish a connection. |
#5
|
|||
|
|||
Remote Desktop- Any logging?
There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for type 10 logon events. However you may need see the IP address but instead the name of the computer. Firewall logs [hardware or host] may help track down the IP of the computer if you match the logs to the time of the type 10 logon event. Steve http://www.windowsecurity.com/articles/Logon-Types.html --- logon events explained Logon Type 10 - RemoteInteractive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn't use logon type 10 and terminal services logons are reported as logon type 2. "Sam" wrote in message ... Are there any logs created on the host machine showing when someone made a RDP connection. I would like to know what user and what IP address was used to establish a connection. |
#6
|
|||
|
|||
Remote Desktop- Any logging?
Correct. I should have mentioned that you need to enable logging of the
Windows Firewall first. If the Windows Firewall does not show the needed info you may want to try a third party software firewall. Sygate used to excel at logging but I don't believe it is around anymore though you may still find places to download it. Steve "Sam" wrote in message ... found the firewall log too. Guess it is not there by default. "Steven L Umbach" wrote: There should be an entry in the security log available via Event Viewer if auditing of logon events is enabled which it may be by default. Look for type 10 logon events. However you may need see the IP address but instead the name of the computer. Firewall logs [hardware or host] may help track down the IP of the computer if you match the logs to the time of the type 10 logon event. Steve http://www.windowsecurity.com/articles/Logon-Types.html --- logon events explained Logon Type 10 - RemoteInteractive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn't use logon type 10 and terminal services logons are reported as logon type 2. "Sam" wrote in message ... Are there any logs created on the host machine showing when someone made a RDP connection. I would like to know what user and what IP address was used to establish a connection. |
#7
|
|||
|
|||
Remote Desktop- Any logging?
Hellooooo, can any one help me wit rdp tanx -- tell_odas ------------------------------------------------------------------------ tell_odas's Profile: http://forums.techarena.in/members/162423.htm View this thread: http://forums.techarena.in/windows-security/838814.htm http://forums.techarena.in |
#8
|
|||
|
|||
Remote Desktop- Any logging?
Don't see any question in this post.
"tell_odas" wrote in message ... : : Hellooooo, can any one help me wit rdp : tanx : : : -- : tell_odas : ------------------------------------------------------------------------ : tell_odas's Profile: http://forums.techarena.in/members/162423.htm : View this thread: http://forums.techarena.in/windows-security/838814.htm : : http://forums.techarena.in : |
#9
|
|||
|
|||
Remote Desktop- Any logging?
I don't see one either - what is the problem specifically?
Taking a guess based on the Subject, check the Windows XP Security Event Viewer Log. An Audit Policy may be configured using the Group Policy editor to track logon success and failures: From the Start | Run command window type gpedit.msc. Navigate to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit logon events. Highlight and right-click and select properties. Configure as desired. Note that logging in without a password is logged as a failure. This results in the security log filling up very fast if you log failures and have a user without a password. The result is you can not login normally. Also note, not having a password is a potential and probable security risk. The event log can be viewed by going to Start | Control Panel | Performance and Maintenance | Administrative Tools and click on Event Viewer. The Event Log (Security) noting a successful logon and logoff by a remote user. The user can highlight a log entry and right-click to view the event Properties for detailed information. Look in the Security Event Log for a Logon/Logoff Event 528 and Logon Type 10. The free Microsoft Port Reporter tool provides for additional logging. Description of the Port Reporter Parser (PR-Parser) tool http://support.microsoft.com/default...b;en-us;884289 Availability and description of the Port Reporter tool http://support.microsoft.com/kb/837243 -- Julius G. Perkins, IV Enterprise Systems Workstation Architect |
Thread Tools | |
Display Modes | |
|
|