Solved

VBScript to detect authorised remote login session

Posted on 2015-02-10
2
242 Views
Last Modified: 2015-02-22
Hi Experts,
I would need some VBScript to achieve the following results:-

Background:-
I have some designated gateway servers for vendors to use.
For this, I would need VBScript (which will be used as part of login script) to detect if any vendors are logging to servers without going through gateway servers and alerting via email.

Basic idea will be all remote login must be going through Gateway servers, for example
GateServer1 - 192.168.1.10
GateServer2 - 192.168.1.11
GateServer3 - 192.168.1.12
GateServer4 - 192.168.1.13
GateServer5 - 192.168.1.14

Script logic will be like:-
1) If remote source server name/ip does not match GateServerX or GateServerIP, create a new Event Source (VENDORS) with Event ID (8888) in target server application log for audit purpose.

2) In the newly created event should capture the following information:-
a) User ID logged on
b) Source Host Name/IP
c) Type of login session: RDP-TCP or ICA-TCP etc
d) Login server name - Server name that user is logged on
 
3) Flag out an email notification to Administrators for furter action.

4) This script should only detect RDP-Tcp# session, if it's Citrix session like ICA-TCP# session, can be ignored.


Thanks.

Regards,
Kung Hui
0
Comment
Question by:kunghui80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
eastms earned 500 total points
ID: 40602364
Here is what i use as a login script for a few of my sensitive accounts, its ugly but works well for me:

Sample email generated:

User sysadmin has logged into COMPUTER1
Current Location of computer in AD:
Datacenter1
Servers
Building 1
North Site
Domain.com
Logged in via: <REMOTE-COMPUTER-NAME-HERE>




usertracker.vbs
'===========================
'Send email to You
'===========================
Dim objShell
Set objMessage = CreateObject("CDO.Message") 
set objNet = CreateObject("wscript.network")
Set objShell = CreateObject("WScript.Shell")
'----------------------
'OU finder area
Set objSysInfo = CreateObject("ADSystemInfo")
strComputer = objSysInfo.ComputerName

Set objComputer = GetObject("LDAP://" & strComputer)
'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour

arrOUs = Split(objComputer.Parent, ",")
arrMainOU1 = Split(arrOUs(0), "=")
arrMainOU2 = Split(arrOUs(1), "=")
arrMainOU3 = Split(arrOUs(2), "=")
arrMainOU4 = Split(arrOUs(3), "=")
arrMainOU5 = Split(arrOUs(4), "=")

'-----------------------


rempcname = objShell.ExpandEnvironmentStrings("%CLIENTNAME%")

if rempcname = "%CLIENTNAME%" then
		rempcname = "Console"
	else
	end if


'Testing...
'wscript.echo rempcname
'wscript.quit

'i split OUs into seperate lines to make it easier to read in email.  If you dont have as many nested OUs you may remove some of the arrays below or an error may occour
strmsgbody = ""
strmsgbody1 =   "User " & objNet.username & " has logged into "  & objNet.ComputerName &VbCr _
& "Current Location of computer in AD: " &VbCr _
& arrMainOU1(1) &VbCr _
& arrMainOU2(1)&VbCr _
& arrMainOU3(1)&VbCr _
& arrMainOU4(1)&VbCr _
& arrMainOU5(1)&VbCr _
& "Logged in via: " & rempcname



objMessage.Subject =  objNet.username & " logged into "  & objNet.ComputerName & " via " & rempcname
objMessage.From = "no-reply@domain.com" 
objMessage.To = "you@domain.com" 


objMessage.TextBody =  strmsgbody1 


'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 

'Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "SMTP.DOMAIN.COM"

'Server port (typically 25)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 

objMessage.Configuration.Fields.Update

'==End remote SMTP server configuration section==

objMessage.Send

Open in new window

0
 
LVL 2

Author Closing Comment

by:kunghui80
ID: 40625036
Hi eastms,
The script does not cover all the perspective of my question for Item 1-4.  Item 1 & 4 were not accomplished, but the script provided does lead me to achieve those subsequently.

Thanks for assistance.

Regards,
Kung Hui
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question