how to log the ip address and time of anyone accessing the network on port 3389 remote desktop
We have an intruder that is accessing our win2k3 terminal server. I have changed the passwords so he/she can no longer get in, but the lawyers want to track any future attempts. Is there a way to log access on port 3389 on a pix 501? They want to capture: computer name, ip address and time that the pix was accessed even though the win2k3 server will now reject their login attempt. We do have legitimate users accessing the server using remote desktop on port 3389 so I will have to weed those out.
thanks,
Mike
thanks,
Mike
ASKER
That looks great, but how do I audit just the terminal server logins? I am not even close to an expert on active directory.....so any and all help would be appreciated.
thanks,
Mike
thanks,
Mike
In order to get all the info you are looking for you may need to use a combination of monitoring. The auditing will give you who they are trying to log in as and ip address while something like a syslog server will help you track 3389 traffic along with IP address. I am in no way close to an expert on Cisco but I have setup this scenario for similar reasons on an ASA. I'm hoping one of the experts can help you on the commands as I believe they are different for the Pix but here is a link for software that can capture the logs. This is free software which was easy to use.
http://www.kiwisyslog.com/software_downloads.htm
The commands I used in my ASA where as follows but as I stated hopefully one of the experts can assist here.
logging on
logging timestamp
logging monitor 7
logging trap 7
logging host inside "inside ip address of the server where you setup the software"
The 7 is debugging mode which will depending on how much traffic you get will add up quickly so you don't want to keep it in that mode unless you have a ton of space. This will show you the ip and port the traffic is on and dumps it in a text file.
I tried to find info on logging on the 501 but couldn't. I will check to see if I can find anything when I get in my office tomorrow. If an expert doesn't jump in I have 2 offices with 500 series PIXs so maybe I can try the setup there to get a better idea of the commands and how it works in the Pix as to the ASA.
http://www.kiwisyslog.com/software_downloads.htm
The commands I used in my ASA where as follows but as I stated hopefully one of the experts can assist here.
logging on
logging timestamp
logging monitor 7
logging trap 7
logging host inside "inside ip address of the server where you setup the software"
The 7 is debugging mode which will depending on how much traffic you get will add up quickly so you don't want to keep it in that mode unless you have a ton of space. This will show you the ip and port the traffic is on and dumps it in a text file.
I tried to find info on logging on the 501 but couldn't. I will check to see if I can find anything when I get in my office tomorrow. If an expert doesn't jump in I have 2 offices with 500 series PIXs so maybe I can try the setup there to get a better idea of the commands and how it works in the Pix as to the ASA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You would think that MS would have made stuff like this easier to do....
thanks Zuech
thanks Zuech
http://support.microsoft.com/kb/814595