Click here to get back home

audit logon/logoff events on terminal server

 HomeNewsGroups | Search

microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late! 

get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
audit logon/logoff events on terminal server J.P. 07-18-2007
Posted by J.P. on July 18, 2007, 10:29 am
Please log in for more thread options
On a terminal server I've enabled "Audit Logon Events (Success/
Failure)" in the Audit Policy for the machine. On a successful logon
event (Event ID: 682) for the security event log it shows the user as
System and in the log information it shows the username that logged
in, the client computer name as well as the client computer IP
address. I'm looking for a way to show this information for failed
login attempts be it a wrong password or a non existent user. I would
like the username used, the computer name if it can be retrieved and
the IP address of the computer that failed a login attempt. I'm not
sure why this information isn't already disclosed on failed attempts
or maybe it is and I'm missing something along the lines. If any one
can provide me with information on how to customize the information
logged I would greatly appreciate it.

Thanks


Posted by Al Dunbar on July 18, 2007, 11:46 pm
Please log in for more thread options

show/hide quoted text

I would be surprised if the event log would keep track of the names of
non-existent accounts that had logon attempts. I strongly suspect that the
system gets the name logged into from the SAM database or AD, rather than
from what the user actually entered in the logon window. Also, I find I
often enter my password in the username field when in a hurry. I wouldn't
want *ANY* record of non-existent account names entered for a fairly obvious
reason: if an admin found three attempts to logon to akey-breaky followed by
a successful logon to my account, he might make a logical deduction as to
what my actual password is. In my mind that would be a security
vulnerability in an o/s that would allow that.

Getting the name or IP address of the computer from which the failed TS or
RDP connection originated might seem more doable, but I am not convinced
that it is. If the user fails to authenticate, then there is no session, and
therefore no connection to this system. If I am wrong, I would certainly be
interested in finding this out.

/Al



Posted by J.P. on July 19, 2007, 1:36 pm
Please log in for more thread options
show/hide quoted text

All above sounds correct. I was more interested in getting the
information to make sure people aren't hammering on the server in an
attempt to get in. In the case someone did breach the server through
terminal services all of the above information could be of use. At the
same time it may be of no use, but the more information available to
the administrators the better, in my opinion. The password/username
issue is a good point. If we could at least get IP addresses in the
invalid logon attempts I would be more than satisfied. But as you
said, there is no connection in a failed logon state and the logging
is taking place outside of terminal services, so it's probably not
going to happen without a Terminal Services feature to do so. Any how,
the points you made have opened my eyes to the bigger picture here.
Thanks for taking the time to comment on the situation.

J.P.


Posted by Mervin Pearce on August 20, 2007, 3:44 pm
Please log in for more thread options
Have a look at
http://www.sacs.co.za/index.php?option=com_remository&Itemid=41&func=fileinfo&id=35

which is a TSAuditor on connections. I have done a service to log all
connections plus initial commands to a central server.



Similar ThreadsPosted
Logon/Logoff Events in Local Security Log of Terminal Server July 20, 2007, 2:39 pm
All I want to do is audit "delete" events, but log gets massive: how to do effiecntly? November 3, 2005, 8:59 am
Overload: 562/565 Security Events (Success Audit) July 16, 2009, 7:14 am
No MACHINE$ inside "Audit account logon events" November 26, 2008, 4:14 am
How to store windows events log in remote server July 31, 2005, 6:44 pm
Multiple 538 and 540 ID's in 2003 server Security Events Log? August 23, 2006, 12:58 am
win2k3 ent with sp2 : configure terminal server to use TLS for server authentication is not work!! June 2, 2009, 7:56 am
USER AND TERMINAL SERVER July 3, 2007, 7:12 am
Locking down Terminal Server May 5, 2009, 1:54 pm
terminal server client question September 9, 2005, 5:52 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Driving a better car - Fuelzilla.com

Cabling site for homeowners and pros alike - Cabling-Design.com

Friends:

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap
Privacy Policy