Solved

Monitor/Record Windows XP RDP session

Posted on 2009-07-08
5
932 Views
Last Modified: 2013-11-21
I have someone who believes that an ex-employee is getting into one of their computers.  What they have described sounds almost like a plain RDP session on an XP machine (The computer says it is locked and in use by the user when they've logged in remotely).  This got me wondering exactly how I could go about finding out what they are doing if this is the case.  Is there a way in XP to log the IP address and time of RDP connections,  and is there a piece of software that will log what files they access and programs they open when they have the session open?
0
Comment
Question by:0770
  • 2
5 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 24805251
Nothing specific I'm aware of... but let me ask you - WHY HAVEN'T ALL THE PASSWORDS BEEN CHANGED?  That would ensure this doesn't happen - if it is happening.

Otherwise, keyloggers may be able to do the trick...
0
 
LVL 1

Author Comment

by:0770
ID: 24805279
Haha, I agree with the password comment, and suggested it to them, but they want to leave it open and catch them in the act if possible.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 24805382
You can also enable auditing and track logons and logoffs.  If you are using the SBS RWW feature, you can check the logs for the source IP.  

But it sounds like the client isn't thinking.  I mean, if the data is important, then why are allowing this?  This ex-employee could be opening up Excel sheets and altering numbers in documents that could result in damage to their clients.  If this happens, the COMPANY could be sued if they act on or provide false information to their clients - and the excuse "we were hacked" won't hold up if they LET the hacker continue to access their systems by not taking appropriate measures to prevent it once the intrusion was suspected.  It's nice to catch people... but it's foolish to allow potentially damaging... scratch that, potentially CRIPPLING activity to continue.  If they really want to waste the time, set up a false system for the user to connect to, but change everyone else's passwords and get some security on it NOW.

And if you're a consultant and allow this to happen without outlining the possible dangers, I would be concerned YOU could get sued as well... later on... by this client!
0
 
LVL 41

Assisted Solution

by:graye
graye earned 250 total points
ID: 24806367
In addition to the excellent suggestions above...   you can look at the Security event log and find event 540 (LogonType 10)
 http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now