Solved

How to tell if a user has remotely logged onto a server

Posted on 2008-06-24
7
1,045 Views
Last Modified: 2010-08-05
How can you tell if someone is remotely accessing a server?

Is that logged in the event log, security logs and if so what event id would it be and how would it be listed.

I see a bunch of logs some annomyous, some administrator....some I dont' know what they do...would this be the place.

We are checking to see if one of our it admins are remotely accessing a specific server...and would like to know if that gets logged if someone rdps into a server

Thanks
0
Comment
Question by:WestonGroup
  • 3
  • 2
7 Comments
 
LVL 14

Expert Comment

by:agriesser
ID: 21860242
Check the eventlog (Start -> Run -> eventvwr), click on Security and watch out for event ids 528 and 538.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 21860616
1) You can use the Terminal services manager in administrative tools to view local or remote server terminal server/remote desktop sessions

2) You can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
However using auditing can be time consuming to filter and extract.

3) Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely wont need the last line (IP address) in the log off script.

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:3389        66.66.123.123:1234        ESTABLISHED
 
Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:3389        66.66.123.124:1234        ESTABLISHED
 
Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

---------------------------------------------------------------------------
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21863477
RobWill, your solution probably does not list the remote logins that have been happend in the past, or does it?
Do you know of any other way to access this information when the logging you mentioned hasn't been enabled, let's say, I'm suspecting someone doing something nasty and want to look if he logged in in the last week?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21864399
I don't know of a way to check past activities if systems have not been put in place beforehand.
0
 
LVL 14

Expert Comment

by:agriesser
ID: 21924405
WestonGroup, was this information helpful for you?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question