Solved

VBScript to detect authorised remote login session

Posted on 2015-02-10
2
194 Views
Last Modified: 2015-02-22
Hi Experts,
I would need some VBScript to achieve the following results:-

Background:-
I have some designated gateway servers for vendors to use.
For this, I would need VBScript (which will be used as part of login script) to detect if any vendors are logging to servers without going through gateway servers and alerting via email.

Basic idea will be all remote login must be going through Gateway servers, for example
GateServer1 - 192.168.1.10
GateServer2 - 192.168.1.11
GateServer3 - 192.168.1.12
GateServer4 - 192.168.1.13
GateServer5 - 192.168.1.14

Script logic will be like:-
1) If remote source server name/ip does not match GateServerX or GateServerIP, create a new Event Source (VENDORS) with Event ID (8888) in target server application log for audit purpose.

2) In the newly created event should capture the following information:-
a) User ID logged on
b) Source Host Name/IP
c) Type of login session: RDP-TCP or ICA-TCP etc
d) Login server name - Server name that user is logged on
 
3) Flag out an email notification to Administrators for furter action.

4) This script should only detect RDP-Tcp# session, if it's Citrix session like ICA-TCP# session, can be ignored.


Thanks.

Regards,
Kung Hui
0
Comment
Question by:kunghui80
2 Comments
 
LVL 1

Accepted Solution

by:
eastms earned 500 total points
ID: 40602364
Here is what i use as a login script for a few of my sensitive accounts, its ugly but works well for me:

Sample email generated:

User sysadmin has logged into COMPUTER1
Current Location of computer in AD:
Datacenter1
Servers
Building 1
North Site
Domain.com
Logged in via: <REMOTE-COMPUTER-NAME-HERE>




usertracker.vbs
'===========================
'Send email to You
'===========================
Dim objShell
Set objMessage = CreateObject("CDO.Message") 
set objNet = CreateObject("wscript.network")
Set objShell = CreateObject("WScript.Shell")
'----------------------
'OU finder area
Set objSysInfo = CreateObject("ADSystemInfo")
strComputer = objSysInfo.ComputerName

Set objComputer = GetObject("LDAP://" & strComputer)
'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour

arrOUs = Split(objComputer.Parent, ",")
arrMainOU1 = Split(arrOUs(0), "=")
arrMainOU2 = Split(arrOUs(1), "=")
arrMainOU3 = Split(arrOUs(2), "=")
arrMainOU4 = Split(arrOUs(3), "=")
arrMainOU5 = Split(arrOUs(4), "=")

'-----------------------


rempcname = objShell.ExpandEnvironmentStrings("%CLIENTNAME%")

if rempcname = "%CLIENTNAME%" then
		rempcname = "Console"
	else
	end if


'Testing...
'wscript.echo rempcname
'wscript.quit

'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour
strmsgbody = ""
strmsgbody1 =   "User " & objNet.username & " has logged into "  & objNet.ComputerName &VbCr _
& "Current Location of computer in AD: " &VbCr _
& arrMainOU1(1) &VbCr _
& arrMainOU2(1)&VbCr _
& arrMainOU3(1)&VbCr _
& arrMainOU4(1)&VbCr _
& arrMainOU5(1)&VbCr _
& "Logged in via: " & rempcname



objMessage.Subject =  objNet.username & " logged into "  & objNet.ComputerName & " via " & rempcname
objMessage.From = "no-reply@domain.com" 
objMessage.To = "you@domain.com" 


objMessage.TextBody =  strmsgbody1 


'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 

'Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "SMTP.DOMAIN.COM"

'Server port (typically 25)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 

objMessage.Configuration.Fields.Update

'==End remote SMTP server configuration section==

objMessage.Send

Open in new window

0
 
LVL 2

Author Closing Comment

by:kunghui80
ID: 40625036
Hi eastms,
The script does not cover all the perspective of my question for Item 1-4.  Item 1 & 4 were not accomplished, but the script provided does lead me to achieve those subsequently.

Thanks for assistance.

Regards,
Kung Hui
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction During my participation as a VBScript contributor at Experts Exchange, one of the most common questions I come across is this: "I have a script that runs against only one computer. How can I make it run against a list of computers in …
This is pretty cool.  The purpose of this VB Script is to help you document where JAR (Java ARchive) files and specifically java class files are located so that you can address issues seen with a client or that you can speak intelligently with a dev…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question