Solved

Monitor/Record Windows XP RDP session

Posted on 2009-07-08
5
934 Views
Last Modified: 2013-11-21
I have someone who believes that an ex-employee is getting into one of their computers.  What they have described sounds almost like a plain RDP session on an XP machine (The computer says it is locked and in use by the user when they've logged in remotely).  This got me wondering exactly how I could go about finding out what they are doing if this is the case.  Is there a way in XP to log the IP address and time of RDP connections,  and is there a piece of software that will log what files they access and programs they open when they have the session open?
0
Comment
Question by:0770
  • 2
5 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 24805251
Nothing specific I'm aware of... but let me ask you - WHY HAVEN'T ALL THE PASSWORDS BEEN CHANGED?  That would ensure this doesn't happen - if it is happening.

Otherwise, keyloggers may be able to do the trick...
0
 
LVL 1

Author Comment

by:0770
ID: 24805279
Haha, I agree with the password comment, and suggested it to them, but they want to leave it open and catch them in the act if possible.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 24805382
You can also enable auditing and track logons and logoffs.  If you are using the SBS RWW feature, you can check the logs for the source IP.  

But it sounds like the client isn't thinking.  I mean, if the data is important, then why are allowing this?  This ex-employee could be opening up Excel sheets and altering numbers in documents that could result in damage to their clients.  If this happens, the COMPANY could be sued if they act on or provide false information to their clients - and the excuse "we were hacked" won't hold up if they LET the hacker continue to access their systems by not taking appropriate measures to prevent it once the intrusion was suspected.  It's nice to catch people... but it's foolish to allow potentially damaging... scratch that, potentially CRIPPLING activity to continue.  If they really want to waste the time, set up a false system for the user to connect to, but change everyone else's passwords and get some security on it NOW.

And if you're a consultant and allow this to happen without outlining the possible dangers, I would be concerned YOU could get sued as well... later on... by this client!
0
 
LVL 41

Assisted Solution

by:graye
graye earned 250 total points
ID: 24806367
In addition to the excellent suggestions above...   you can look at the Security event log and find event 540 (LogonType 10)
 http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows print sharing 1 63
Alternative access for remote users 6 85
Windows 7 Share with XP 22 132
Digital camera and media XP and Vista - fails on Windows 7 24 106
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now