RE: Terminal Services Auditing?

• Previous message: Geoffrey Shorter: "Re: Terminal Services Auditing?"
• Maybe in reply to: alexandre: "Terminal Services Auditing?"
• Next in thread: Thor: "Re: Terminal Services Auditing?"
• Reply: Thor: "Re: Terminal Services Auditing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 25 Oct 2003 21:13:48 +0500
To: "Erik Birkholz" <erik@foundstone.com>, <alexandre@secrel.net.br>, <focus-ms@securityfocus.com>

I have worked on MS Terminal Services both on Win2k and Win 20003
server. Both of them lack the functionality of logging the IPs or
displaying them in 'Terminal Services Manager' snap-in.

One thing I did notice is that, if you look into the TERMINAL SERVICES
MANAGER > SESSIONS snap-in it does resolve the hostnames of the machines
whose records are present in your default name servers.

Regards,
Kamran Muzaffer
-----Original Message-----
From: Erik Birkholz [mailto:erik@foundstone.com]
Sent: Saturday, October 25, 2003 1:13 AM
To: alexandre@secrel.net.br; focus-ms@securityfocus.com
Subject: Re: Terminal Services Auditing?

It doesn't log the source IP for each connection. Mark Burnett wrote a
good article about supplementing this short-coming using a tool called
Zebedee. You can find the article on SecurityFocus.com

Apparently this is not available functionality in Win2003 TS either. I
haven't tested this yet.

Erik

---------------------------------------
(Msg from BlackBerry Wireless Handheld)
---------------------------------------
Erik Pace Birkholz - CISSP, MCSE
Foundstone, Inc.
Strategic Security

Read Special Ops and mount an assault to eradicate network negligence
today. www.SpecialOpsSeries.com

[Tel] 949.297.5591
[Cel] 323.252.5916
[Fax] 949.297.5575
[pgp] https://www.foundstone.com/pgpkeys/erik-birkholz.asc

-----Original Message-----
From: alexandre <alexandre@secrel.net.br>
To: focus-ms@securityfocus.com <focus-ms@securityfocus.com>
Sent: Fri Oct 24 10:05:19 2003
Subject: Terminal Services Auditing?

Hi all,

continuing the TS subject, I think that someone is having access to one
of
my servers thru Terminal Services... anyone know how can I audit these
TS
logins?? I looked at the events but didn't find any ip logged.

Thanks

------------------------------------------------------------------------

---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 
---------------------------------------------------------------------------

• Previous message: Geoffrey Shorter: "Re: Terminal Services Auditing?"
• Maybe in reply to: alexandre: "Terminal Services Auditing?"
• Next in thread: Thor: "Re: Terminal Services Auditing?"
• Reply: Thor: "Re: Terminal Services Auditing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Down with DHCP!!!! ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ... (Security-Basics) RE: security not a big priority? ... But I have found that upper management will only ... and push out the changes; management has to have this information to ... Network Security Engineer ... Network team with Project Management tasks. ... (Security-Basics) Re: Down with DHCP!!!! ... going to staic IP's would be a management nightmare ... (speaking as someone who managed a static IP network ... Security is always a compromise; ... Computer Emergency Response Teams, and Digital Investigations. ... (Security-Basics) Re: Terminal Services Auditing? ... Subject: Terminal Services Auditing? ... Better Management for Network Security ... (Focus-Microsoft) Re: Log management software for Windows ... Log management software for Windows ... I want to retain security and event log data on a Windows machine that is ... for example: the IDS log from my firewall. ... Better Management for Network Security ... (Security-Basics)