Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

VBScript to detect authorised remote login session

Posted on 2015-02-10
2
208 Views
Last Modified: 2015-02-22
Hi Experts,
I would need some VBScript to achieve the following results:-

Background:-
I have some designated gateway servers for vendors to use.
For this, I would need VBScript (which will be used as part of login script) to detect if any vendors are logging to servers without going through gateway servers and alerting via email.

Basic idea will be all remote login must be going through Gateway servers, for example
GateServer1 - 192.168.1.10
GateServer2 - 192.168.1.11
GateServer3 - 192.168.1.12
GateServer4 - 192.168.1.13
GateServer5 - 192.168.1.14

Script logic will be like:-
1) If remote source server name/ip does not match GateServerX or GateServerIP, create a new Event Source (VENDORS) with Event ID (8888) in target server application log for audit purpose.

2) In the newly created event should capture the following information:-
a) User ID logged on
b) Source Host Name/IP
c) Type of login session: RDP-TCP or ICA-TCP etc
d) Login server name - Server name that user is logged on
 
3) Flag out an email notification to Administrators for furter action.

4) This script should only detect RDP-Tcp# session, if it's Citrix session like ICA-TCP# session, can be ignored.


Thanks.

Regards,
Kung Hui
0
Comment
Question by:kunghui80
2 Comments
 
LVL 1

Accepted Solution

by:
eastms earned 500 total points
ID: 40602364
Here is what i use as a login script for a few of my sensitive accounts, its ugly but works well for me:

Sample email generated:

User sysadmin has logged into COMPUTER1
Current Location of computer in AD:
Datacenter1
Servers
Building 1
North Site
Domain.com
Logged in via: <REMOTE-COMPUTER-NAME-HERE>




usertracker.vbs
'===========================
'Send email to You
'===========================
Dim objShell
Set objMessage = CreateObject("CDO.Message") 
set objNet = CreateObject("wscript.network")
Set objShell = CreateObject("WScript.Shell")
'----------------------
'OU finder area
Set objSysInfo = CreateObject("ADSystemInfo")
strComputer = objSysInfo.ComputerName

Set objComputer = GetObject("LDAP://" & strComputer)
'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour

arrOUs = Split(objComputer.Parent, ",")
arrMainOU1 = Split(arrOUs(0), "=")
arrMainOU2 = Split(arrOUs(1), "=")
arrMainOU3 = Split(arrOUs(2), "=")
arrMainOU4 = Split(arrOUs(3), "=")
arrMainOU5 = Split(arrOUs(4), "=")

'-----------------------


rempcname = objShell.ExpandEnvironmentStrings("%CLIENTNAME%")

if rempcname = "%CLIENTNAME%" then
		rempcname = "Console"
	else
	end if


'Testing...
'wscript.echo rempcname
'wscript.quit

'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour
strmsgbody = ""
strmsgbody1 =   "User " & objNet.username & " has logged into "  & objNet.ComputerName &VbCr _
& "Current Location of computer in AD: " &VbCr _
& arrMainOU1(1) &VbCr _
& arrMainOU2(1)&VbCr _
& arrMainOU3(1)&VbCr _
& arrMainOU4(1)&VbCr _
& arrMainOU5(1)&VbCr _
& "Logged in via: " & rempcname



objMessage.Subject =  objNet.username & " logged into "  & objNet.ComputerName & " via " & rempcname
objMessage.From = "no-reply@domain.com" 
objMessage.To = "you@domain.com" 


objMessage.TextBody =  strmsgbody1 


'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 

'Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "SMTP.DOMAIN.COM"

'Server port (typically 25)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 

objMessage.Configuration.Fields.Update

'==End remote SMTP server configuration section==

objMessage.Send

Open in new window

0
 
LVL 2

Author Closing Comment

by:kunghui80
ID: 40625036
Hi eastms,
The script does not cover all the perspective of my question for Item 1-4.  Item 1 & 4 were not accomplished, but the script provided does lead me to achieve those subsequently.

Thanks for assistance.

Regards,
Kung Hui
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome back!  My apologies for taking so long to write part two of this series; it's been a long time coming!  As I promised in Part 1, this article will focus on how to locate those elusive AD properties that you are searching for.  Why is this us…
This script will sweep a range of IP addresses (class c only, 255.255.255.0) and report to a log the version of office installed. What it does: 1.)      Creates log file in the directory the script is run from (if it doesn't already exist) 2.)      Sweep…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question