Solved

Monitor/Record Windows XP RDP session

Posted on 2009-07-08
5
937 Views
Last Modified: 2013-11-21
I have someone who believes that an ex-employee is getting into one of their computers.  What they have described sounds almost like a plain RDP session on an XP machine (The computer says it is locked and in use by the user when they've logged in remotely).  This got me wondering exactly how I could go about finding out what they are doing if this is the case.  Is there a way in XP to log the IP address and time of RDP connections,  and is there a piece of software that will log what files they access and programs they open when they have the session open?
0
Comment
Question by:0770
  • 2
5 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 24805251
Nothing specific I'm aware of... but let me ask you - WHY HAVEN'T ALL THE PASSWORDS BEEN CHANGED?  That would ensure this doesn't happen - if it is happening.

Otherwise, keyloggers may be able to do the trick...
0
 
LVL 1

Author Comment

by:0770
ID: 24805279
Haha, I agree with the password comment, and suggested it to them, but they want to leave it open and catch them in the act if possible.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 24805382
You can also enable auditing and track logons and logoffs.  If you are using the SBS RWW feature, you can check the logs for the source IP.  

But it sounds like the client isn't thinking.  I mean, if the data is important, then why are allowing this?  This ex-employee could be opening up Excel sheets and altering numbers in documents that could result in damage to their clients.  If this happens, the COMPANY could be sued if they act on or provide false information to their clients - and the excuse "we were hacked" won't hold up if they LET the hacker continue to access their systems by not taking appropriate measures to prevent it once the intrusion was suspected.  It's nice to catch people... but it's foolish to allow potentially damaging... scratch that, potentially CRIPPLING activity to continue.  If they really want to waste the time, set up a false system for the user to connect to, but change everyone else's passwords and get some security on it NOW.

And if you're a consultant and allow this to happen without outlining the possible dangers, I would be concerned YOU could get sued as well... later on... by this client!
0
 
LVL 41

Assisted Solution

by:graye
graye earned 250 total points
ID: 24806367
In addition to the excellent suggestions above...   you can look at the Security event log and find event 540 (LogonType 10)
 http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question