A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Remote Desktop- Any logging?



 
 
Thread Tools Display Modes
  #1  
Old October 24th 07, 04:21 PM posted to microsoft.public.windowsxp.security_admin
sam
external usenet poster
 
Posts: 140
Default Remote Desktop- Any logging?

Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was used
to establish a connection.
Ads
  #2  
Old October 24th 07, 06:21 PM posted to microsoft.public.windowsxp.security_admin
sam
external usenet poster
 
Posts: 140
Default Remote Desktop- Any logging?

I have auditing turned on and see type 528 but no 10's when I connect
remotely? where do I find the firewall logs?

"Steven L Umbach" wrote:

There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.


"Sam" wrote in message
...
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.




  #3  
Old October 24th 07, 06:27 PM posted to microsoft.public.windowsxp.security_admin
sam
external usenet poster
 
Posts: 140
Default Remote Desktop- Any logging?

I see where the 10 comes in.

"Steven L Umbach" wrote:

There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.


"Sam" wrote in message
...
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.




  #4  
Old October 25th 07, 02:35 PM posted to microsoft.public.windowsxp.security_admin
sam
external usenet poster
 
Posts: 140
Default Remote Desktop- Any logging?

found the firewall log too. Guess it is not there by default.

"Steven L Umbach" wrote:

There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.


"Sam" wrote in message
...
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.




  #5  
Old October 25th 07, 06:01 PM posted to microsoft.public.windowsxp.security_admin
Steven L Umbach
external usenet poster
 
Posts: 810
Default Remote Desktop- Any logging?

There should be an entry in the security log available via Event Viewer if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type 10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon type
10 and terminal services logons are reported as logon type 2.


"Sam" wrote in message
...
Are there any logs created on the host machine showing when someone made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.



  #6  
Old October 26th 07, 12:50 AM posted to microsoft.public.windowsxp.security_admin
Steven L Umbach
external usenet poster
 
Posts: 810
Default Remote Desktop- Any logging?

Correct. I should have mentioned that you need to enable logging of the
Windows Firewall first. If the Windows Firewall does not show the needed
info you may want to try a third party software firewall. Sygate used to
excel at logging but I don't believe it is around anymore though you may
still find places to download it.

Steve


"Sam" wrote in message
...
found the firewall log too. Guess it is not there by default.

"Steven L Umbach" wrote:

There should be an entry in the security log available via Event Viewer
if
auditing of logon events is enabled which it may be by default. Look for
type 10 logon events. However you may need see the IP address but instead
the name of the computer. Firewall logs [hardware or host] may help track
down the IP of the computer if you match the logs to the time of the type
10
logon event.

Steve

http://www.windowsecurity.com/articles/Logon-Types.html --- logon
events
explained


Logon Type 10 - RemoteInteractive
When you access a computer through Terminal Services, Remote Desktop or
Remote Assistance windows logs the logon attempt with logon type 10 which
makes it easy to distinguish true console logons from a remote desktop
session. Note however that prior to XP, Windows 2000 doesn't use logon
type
10 and terminal services logons are reported as logon type 2.


"Sam" wrote in message
...
Are there any logs created on the host machine showing when someone
made a
RDP connection. I would like to know what user and what IP address was
used
to establish a connection.






  #7  
Old December 9th 09, 05:30 PM posted to microsoft.public.windowsxp.security_admin
tell_odas
external usenet poster
 
Posts: 1
Default Remote Desktop- Any logging?


Hellooooo, can any one help me wit rdp
tanx


--
tell_odas
------------------------------------------------------------------------
tell_odas's Profile: http://forums.techarena.in/members/162423.htm
View this thread: http://forums.techarena.in/windows-security/838814.htm

http://forums.techarena.in

  #8  
Old December 10th 09, 03:22 PM posted to microsoft.public.windowsxp.security_admin
Tom Willett[_2_]
external usenet poster
 
Posts: 530
Default Remote Desktop- Any logging?

Don't see any question in this post.

"tell_odas" wrote in message
...
:
: Hellooooo, can any one help me wit rdp
: tanx
:
:
: --
: tell_odas
: ------------------------------------------------------------------------
: tell_odas's Profile: http://forums.techarena.in/members/162423.htm
: View this thread: http://forums.techarena.in/windows-security/838814.htm
:
: http://forums.techarena.in
:


  #9  
Old December 10th 09, 10:13 PM posted to microsoft.public.windowsxp.security_admin
JuliusPIV
external usenet poster
 
Posts: 9
Default Remote Desktop- Any logging?

I don't see one either - what is the problem specifically?

Taking a guess based on the Subject, check the Windows XP Security Event
Viewer Log. An Audit Policy may be configured using the Group Policy editor
to track logon success and failures:
From the Start | Run command window type gpedit.msc.
Navigate to Local Computer Policy | Computer Configuration | Windows
Settings | Security Settings | Local Policies | Audit Policy | Audit logon
events.
Highlight and right-click and select properties.
Configure as desired.

Note that logging in without a password is logged as a failure. This results
in the security log filling up very fast if you log failures and have a user
without a password. The result is you can not login normally. Also note, not
having a password is a potential and probable security risk.

The event log can be viewed by going to Start | Control Panel | Performance
and Maintenance | Administrative Tools and click on Event Viewer.

The Event Log (Security) noting a successful logon and logoff by a remote
user. The user can highlight a log entry and right-click to view the event
Properties for detailed information.

Look in the Security Event Log for a Logon/Logoff Event 528 and Logon Type
10.

The free Microsoft Port Reporter tool provides for additional logging.
Description of the Port Reporter Parser (PR-Parser) tool
http://support.microsoft.com/default...b;en-us;884289

Availability and description of the Port Reporter tool
http://support.microsoft.com/kb/837243

--
Julius G. Perkins, IV
Enterprise Systems
Workstation Architect
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 03:08 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.