Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 945
  • Last Modified:

Monitor/Record Windows XP RDP session

I have someone who believes that an ex-employee is getting into one of their computers.  What they have described sounds almost like a plain RDP session on an XP machine (The computer says it is locked and in use by the user when they've logged in remotely).  This got me wondering exactly how I could go about finding out what they are doing if this is the case.  Is there a way in XP to log the IP address and time of RDP connections,  and is there a piece of software that will log what files they access and programs they open when they have the session open?
0
0770
Asked:
0770
  • 2
2 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Nothing specific I'm aware of... but let me ask you - WHY HAVEN'T ALL THE PASSWORDS BEEN CHANGED?  That would ensure this doesn't happen - if it is happening.

Otherwise, keyloggers may be able to do the trick...
0
 
0770Author Commented:
Haha, I agree with the password comment, and suggested it to them, but they want to leave it open and catch them in the act if possible.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You can also enable auditing and track logons and logoffs.  If you are using the SBS RWW feature, you can check the logs for the source IP.  

But it sounds like the client isn't thinking.  I mean, if the data is important, then why are allowing this?  This ex-employee could be opening up Excel sheets and altering numbers in documents that could result in damage to their clients.  If this happens, the COMPANY could be sued if they act on or provide false information to their clients - and the excuse "we were hacked" won't hold up if they LET the hacker continue to access their systems by not taking appropriate measures to prevent it once the intrusion was suspected.  It's nice to catch people... but it's foolish to allow potentially damaging... scratch that, potentially CRIPPLING activity to continue.  If they really want to waste the time, set up a false system for the user to connect to, but change everyone else's passwords and get some security on it NOW.

And if you're a consultant and allow this to happen without outlining the possible dangers, I would be concerned YOU could get sued as well... later on... by this client!
0
 
grayeCommented:
In addition to the excellent suggestions above...   you can look at the Security event log and find event 540 (LogonType 10)
 http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now