Tracking RDP Logons

Earlier this week a customer asked me the following question:

We came across a scenario where one of our sessions that we need to track events on, recorded only 683 events (rdp logoff) but zero 682 events (rdp logon).

I put together a detailed email explaining to him why/what was really happening and thought it would be good to share.

I want to clarify event id 682 for you, it’s not a RDP Logon event, it’s a Session Reconnected event.  That’s why you see 683 events without any 682 events.

 If you want to track when someone logs onto a system via RDP you need to look for event id 528 with a logon type of 10.

 So here is what you can expect to see in the logs (all of these events are in the Security log on the system SERVER1):

 At 9:22 am Isaac remotes into Server1:

Event ID: 528

 Successful Logon:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505AC69)
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: SERVER1
  Logon GUID: {f9c49597-2dcc-19cb-32cb-89a0e776ec9c}
  Caller User Name: SERVER1$
  Caller Domain: XXXXXXXX
  Caller Logon ID: (0×0,0×3E7)
  Caller Process ID: 2380
  Transited Services: -
  Source Network Address: xxx.xxx.xxx.145
  Source Port: 18573

 Then at 9:42:06 am Isaac clicks the “X” in the upper corner of the RDP session (does not logout, but disconnects)

Event ID: 683

 Session disconnected from winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505AC69)
  Session Name: RDP-Tcp#1
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 9:42:37 am Isaac re-connects to the RDP session on Server1

Event ID: 682

 Session reconnected to winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505AC69)
  Session Name: RDP-Tcp#2
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 11:56 am Isaac logs off the RDP session

Event ID: 551

 User initiated logoff:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0×0,0x2505ac69)

 Now let’s analyze how we tie all these together.  The 1^st event the 528 tells us how the connection was established, Logon Type: 10 (highlighted in yellow) which is a RemoteInteractive (aka RDP or Terminal Session) (for other logon types see this list).  This event also confirms that the RDP session was done to a system called Server1 (noted in the Workstation Name line), it also tells us from which system the RDP session was done xxx.xxx.xxx.145 (the Source Network Address line).  We also get the Logon ID which is a HEX code (highlighted in blue).  This Logon ID allows us to connect all of the activity that Isaac does while the RDP session is active (with the right auditing turned on), we can track what files/folders were touched, what processes were launched, etc.  It also allows us to tell if he disconnects (683) or logs off (551) the RDP session.  If he disconnects we can then also track when he reconnects (682).

Hope this helps.

December 1, 2009 Posted by ithompson | Audit Logon/Logoff, Log Management | event id 682, event id 683, RDP Logons | No Comments Yet

Audit Account Logon vs Audit Logon/Logoff

Over the past several years I’ve been explaining the diffence between these two audit polices.  One is for logon/logoff events the other (Account Logon) is for authentication events.  In the past few months I have had several people ask me to put together a blog entry covering these 2 audit polices.  But I’ve found it rather painfull to put into a blog.   Then a few weeks ago I found out that my employeer (Prism Microsystems) was hosting a webinar with Randy F. Smith and I was going to also be presenting.   Well the webinar went smoothly today and so I have decided that instead of me doing a long lengthly blog entry I would just post a link to the recorded webinar.  Enjoy and I hope you are able to gain more insight into these 2 Audit Policies.

October 5, 2009 Posted by ithompson | Audit Account Logon, Audit Logon/Logoff, Audit Policy, Audting, Event Log, Log Management | Account Logon, Audit Log, Audit Policy, Logon/Logoff events | No Comments Yet