Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Monitor/Record Windows XP RDP session

Posted on 2009-07-08
5
Medium Priority
?
944 Views
Last Modified: 2013-11-21
I have someone who believes that an ex-employee is getting into one of their computers.  What they have described sounds almost like a plain RDP session on an XP machine (The computer says it is locked and in use by the user when they've logged in remotely).  This got me wondering exactly how I could go about finding out what they are doing if this is the case.  Is there a way in XP to log the IP address and time of RDP connections,  and is there a piece of software that will log what files they access and programs they open when they have the session open?
0
Comment
Question by:0770
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 24805251
Nothing specific I'm aware of... but let me ask you - WHY HAVEN'T ALL THE PASSWORDS BEEN CHANGED?  That would ensure this doesn't happen - if it is happening.

Otherwise, keyloggers may be able to do the trick...
0
 
LVL 1

Author Comment

by:0770
ID: 24805279
Haha, I agree with the password comment, and suggested it to them, but they want to leave it open and catch them in the act if possible.
0
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 1000 total points
ID: 24805382
You can also enable auditing and track logons and logoffs.  If you are using the SBS RWW feature, you can check the logs for the source IP.  

But it sounds like the client isn't thinking.  I mean, if the data is important, then why are allowing this?  This ex-employee could be opening up Excel sheets and altering numbers in documents that could result in damage to their clients.  If this happens, the COMPANY could be sued if they act on or provide false information to their clients - and the excuse "we were hacked" won't hold up if they LET the hacker continue to access their systems by not taking appropriate measures to prevent it once the intrusion was suspected.  It's nice to catch people... but it's foolish to allow potentially damaging... scratch that, potentially CRIPPLING activity to continue.  If they really want to waste the time, set up a false system for the user to connect to, but change everyone else's passwords and get some security on it NOW.

And if you're a consultant and allow this to happen without outlining the possible dangers, I would be concerned YOU could get sued as well... later on... by this client!
0
 
LVL 41

Assisted Solution

by:graye
graye earned 1000 total points
ID: 24806367
In addition to the excellent suggestions above...   you can look at the Security event log and find event 540 (LogonType 10)
 http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Know what services you can and cannot, should and should not combine on your server.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question