I have a new client who has a SBS2008 network, pretty straightforward setup, half a dozen workstations or so and remote access via Remote Web Workplace and RDP to the SBS box enabled.
the boss thinks that someone has accessed confidential information on the server from outside the network. He suspects they have either connected to the server via RDP or another pc via RWW with his account or the administrator account and viewed documents in a shared folder on the server that are restricted to his logon and the admin logon.
He has asked me to find out what i can about any unauthorised remote access. He wants to know if I can tell what IP addresses have accessed the server from outside (via RWW or RDP) or see what accounts have logged onto the server directly. From what i know, there is very little logging enabled to be able to find out any of this information, is that correct?