how to log the ip address and time of anyone accessing the network on port 3389 remote desktop

We have an intruder that is accessing our win2k3 terminal server.  I have changed the passwords so he/she can no longer get in, but the lawyers want to track any future attempts.  Is there a way to log access on port 3389 on a pix 501?  They want to capture: computer name, ip address and time that the pix was accessed even though the win2k3 server will now reject their login attempt.  We do have legitimate users accessing the server using remote desktop on port 3389 so I will have to weed those out.

thanks,
Mike
mstefaniAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zuechCommented:
Auditing Logon attempts via group policy on the Microsoft Server side would give you IP address, Time and the user they are trying to logon as which can be sorted by failures. Here is an article regarding that.

http://support.microsoft.com/kb/814595
0
mstefaniAuthor Commented:
That looks great, but how do I audit just the terminal server logins?  I am not even close to an expert on active directory.....so any and all help would be appreciated.

thanks,
Mike
0
zuechCommented:
In order to get all the info you are looking for you may need to use a combination of monitoring. The auditing will give you who they are trying to log in as and ip address while something like a syslog server will help you track 3389 traffic along with IP address. I am in no way close to an expert on Cisco but I have setup this scenario for similar reasons on an ASA. I'm hoping one of the experts can help you on the commands as I believe they are different for the Pix but here is a link for software that can capture the logs. This is free software which was easy to use.

http://www.kiwisyslog.com/software_downloads.htm

The commands I used in my ASA where as follows but as I stated hopefully one of the experts can assist here.

logging on
logging timestamp
logging monitor 7
logging trap 7
logging host inside "inside ip address of the server where you setup the software"

The 7 is debugging mode which will depending on how much traffic you get will add up quickly so you don't want to keep it in that mode unless you have a ton of space. This will show you the ip and port the traffic is on and dumps it in a text file.

I tried to find info on logging on the 501 but couldn't. I will check to see if I can find anything when I get in my office tomorrow. If an expert doesn't jump in I have 2 offices with 500 series PIXs so maybe I can try the setup there to get a better idea of the commands and how it works in the Pix as to the ASA.
0
zuechCommented:
The commands are almost identical. Here is a link that explains setting up a syslog server in the Pix.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml

Between those two you should be able to get all info you need.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mstefaniAuthor Commented:
You would think that MS would have made stuff like this easier to do....

thanks Zuech
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.