natrat22
asked on
Can I see who and when someone has logged onto a server or PC in the network
hi all,
I have a new client who has a SBS2008 network, pretty straightforward setup, half a dozen workstations or so and remote access via Remote Web Workplace and RDP to the SBS box enabled.
the boss thinks that someone has accessed confidential information on the server from outside the network. He suspects they have either connected to the server via RDP or another pc via RWW with his account or the administrator account and viewed documents in a shared folder on the server that are restricted to his logon and the admin logon.
He has asked me to find out what i can about any unauthorised remote access. He wants to know if I can tell what IP addresses have accessed the server from outside (via RWW or RDP) or see what accounts have logged onto the server directly. From what i know, there is very little logging enabled to be able to find out any of this information, is that correct?
nathan
I have a new client who has a SBS2008 network, pretty straightforward setup, half a dozen workstations or so and remote access via Remote Web Workplace and RDP to the SBS box enabled.
the boss thinks that someone has accessed confidential information on the server from outside the network. He suspects they have either connected to the server via RDP or another pc via RWW with his account or the administrator account and viewed documents in a shared folder on the server that are restricted to his logon and the admin logon.
He has asked me to find out what i can about any unauthorised remote access. He wants to know if I can tell what IP addresses have accessed the server from outside (via RWW or RDP) or see what accounts have logged onto the server directly. From what i know, there is very little logging enabled to be able to find out any of this information, is that correct?
nathan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It depends on if someone set up logging or not. All the logs you would need to see would be in the security section of the event viewer. Depending on whether or not logging is turned on would depend on whether you would be able to see what you need. You can set this up via group policy. There are logs that are tagged as logon/logoff which is where you can see who logged on and off. You just have to look carefully. Another way to tell what computer is logging on is that typically when a computer connects via RDP, the server will try to setup the printers that are on the clients computer. Delending on the OS version and print drivers, you can sometimes see errors in the system log where the printer setup failed. It will list the computer device name in those logs.
You may be able to access the event viewer (start/run/eventvwr) and go to the security tab. It's a very basic log of who has successfully logged in and notes error's when people attempt to log in and provide the wrong password. If you have an idea of when the alleged violation occurred, this might help.
Todd
Todd
If they came in through RWW, then there should be a record of it in the IIS Log files...
ASKER
Thanks..