Re: Terminal Services Auditing?
From: Thor (thor_at_hammerofgod.com)
Date: 10/27/03
- Previous message: Drew Hunt: "RE: Event Log messages for failed logon attempts"
- In reply to: Kamran Muzaffer: "RE: Terminal Services Auditing?"
- Next in thread: Erik Birkholz: "RE: Terminal Services Auditing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Kamran Muzaffer" <kmahmed@cyber.net.pk>, "Erik Birkholz" <erik@foundstone.com>, <alexandre@secrel.net.br>, <focus-ms@securityfocus.com> Date: Mon, 27 Oct 2003 12:55:46 -0800
Win2003 Server *does* indeed log the client IP for terminal services/remote
desktop. It is logon type 10, and it logs the IP under
"SourceNetworkAddress." Of course, you have to have to enable auditing of
logons in the event logs....
T
----- Original Message -----
From: "Kamran Muzaffer" <kmahmed@cyber.net.pk>
To: "Erik Birkholz" <erik@foundstone.com>; <alexandre@secrel.net.br>;
<focus-ms@securityfocus.com>
Sent: Saturday, October 25, 2003 8:13 AM
Subject: RE: Terminal Services Auditing?
I have worked on MS Terminal Services both on Win2k and Win 20003
server. Both of them lack the functionality of logging the IPs or
displaying them in 'Terminal Services Manager' snap-in.
One thing I did notice is that, if you look into the TERMINAL SERVICES
MANAGER > SESSIONS snap-in it does resolve the hostnames of the machines
whose records are present in your default name servers.
Regards,
Kamran Muzaffer
-----Original Message-----
From: Erik Birkholz [mailto:erik@foundstone.com]
Sent: Saturday, October 25, 2003 1:13 AM
To: alexandre@secrel.net.br; focus-ms@securityfocus.com
Subject: Re: Terminal Services Auditing?
It doesn't log the source IP for each connection. Mark Burnett wrote a
good article about supplementing this short-coming using a tool called
Zebedee. You can find the article on SecurityFocus.com
Apparently this is not available functionality in Win2003 TS either. I
haven't tested this yet.
Erik
---------------------------------------
(Msg from BlackBerry Wireless Handheld)
---------------------------------------
Erik Pace Birkholz - CISSP, MCSE
Foundstone, Inc.
Strategic Security
Read Special Ops and mount an assault to eradicate network negligence
today. www.SpecialOpsSeries.com
[Tel] 949.297.5591
[Cel] 323.252.5916
[Fax] 949.297.5575
[pgp] https://www.foundstone.com/pgpkeys/erik-birkholz.asc
-----Original Message-----
From: alexandre <alexandre@secrel.net.br>
To: focus-ms@securityfocus.com <focus-ms@securityfocus.com>
Sent: Fri Oct 24 10:05:19 2003
Subject: Terminal Services Auditing?
Hi all,
continuing the TS subject, I think that someone is having access to one
of
my servers thru Terminal Services... anyone know how can I audit these
TS
logins?? I looked at the events but didn't find any ip logged.
Thanks
------------------------------------------------------------------------
--- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 --------------------------------------------------------------------------- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ---------------------------------------------------------------------------
- Previous message: Drew Hunt: "RE: Event Log messages for failed logon attempts"
- In reply to: Kamran Muzaffer: "RE: Terminal Services Auditing?"
- Next in thread: Erik Birkholz: "RE: Terminal Services Auditing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
