Tracking RDP Logons
Earlier this week a customer asked me the following question:
We came across a scenario where one of our sessions that we need to track events on, recorded only 683 events (rdp logoff) but zero 682 events (rdp logon).
I put together a detailed email explaining to him why/what was really happening and thought it would be good to share.
I want to clarify event id 682 for you, it’s not a RDP Logon event, it’s a Session Reconnected event. That’s why you see 683 events without any 682 events.
If you want to track when someone logs onto a system via RDP you need to look for event id 528 with a logon type of 10.
So here is what you can expect to see in the logs (all of these events are in the Security log on the system SERVER1):
At 9:22 am Isaac remotes into Server1:
Event ID: 528
Successful Logon:
User Name: isaac
Domain: XXXXXXXX
Logon ID: (0×0,0x2505AC69)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: SERVER1
Logon GUID: {f9c49597-2dcc-19cb-32cb-89a0e776ec9c}
Caller User Name: SERVER1$
Caller Domain: XXXXXXXX
Caller Logon ID: (0×0,0×3E7)
Caller Process ID: 2380
Transited Services: -
Source Network Address: xxx.xxx.xxx.145
Source Port: 18573Then at 9:42:06 am Isaac clicks the “X” in the upper corner of the RDP session (does not logout, but disconnects)
Event ID: 683
Session disconnected from winstation:
User Name: isaac
Domain: XXXXXXXX
Logon ID: (0×0,0x2505AC69)
Session Name: RDP-Tcp#1
Client Name: Workstation1
Client Address: xxx.xxx.xxx.145Then at 9:42:37 am Isaac re-connects to the RDP session on Server1
Event ID: 682
Session reconnected to winstation:
User Name: isaac
Domain: XXXXXXXX
Logon ID: (0×0,0x2505AC69)
Session Name: RDP-Tcp#2
Client Name: Workstation1
Client Address: xxx.xxx.xxx.145Then at 11:56 am Isaac logs off the RDP session
Event ID: 551
User initiated logoff:
User Name: isaac
Domain: XXXXXXXX
Logon ID: (0×0,0x2505ac69)Now let’s analyze how we tie all these together. The 1st event the 528 tells us how the connection was established, Logon Type: 10 (highlighted in yellow) which is a RemoteInteractive (aka RDP or Terminal Session) (for other logon types see this list). This event also confirms that the RDP session was done to a system called Server1 (noted in the Workstation Name line), it also tells us from which system the RDP session was done xxx.xxx.xxx.145 (the Source Network Address line). We also get the Logon ID which is a HEX code (highlighted in blue). This Logon ID allows us to connect all of the activity that Isaac does while the RDP session is active (with the right auditing turned on), we can track what files/folders were touched, what processes were launched, etc. It also allows us to tell if he disconnects (683) or logs off (551) the RDP session. If he disconnects we can then also track when he reconnects (682).
Hope this helps.
Directory Services Auditing
I’ve been asked by a customer to take a look at their level of Directory Services Auditing. I’m not able to share their screen shots but can scrub an email that I sent to them and post it here.
When it comes to Directory Services Auditing I always tell people less is more, if you already understand what the other audit policies give you then you can get 85% to 90% of what you need from those. There are somethings that you will have to get via Directory Services Auditing there’s just no getting around it. But just as with the case of Object Access be very carefull what you turn on or you will flood yourself with junk noise events. The major pain is that all events generated by Directory Services use the same event id no matter what action you are doing and are very cryptic.
Here is the email:
“ As we talked about on the phone today there is a lot of auditing turned on where Microsoft hasn’t given very much information about what it generates and even some that are currently not used. Example: Intellimirror-Group is used by remote boot legacy for managing groups of server machines and is currently not used. Based on the screen shot you sent me I can see that the objects are currently being monitored which are generating a lot of noise events for you. You might be better suited to audit the properties instead of the objects. Example, if you want to know when a user has been given access to someone else’s inbox you need to monitor for changes to the property: msExchMailboxSecurityDescriptor; or if you want to know who made a GPO change then you need to monitor for changes to the properties: gpLink and gPOptions. Most of the information that you can find via MSDN in regards to these audit objects is related to developers and not what the audit trail will give you. Keep in mind that Microsoft considers the Directory Services auditing a low level audit, so the events that are generated are pretty cryptic in nature and all use the same event id.
There are a few of the objects that you would want to monitor to help get a more full picture of what is happening such as: Computer, User, OU, Shares, Group objects. Monitoring these will give you things such as what OU a user was created in, where the Account Mgmt auditing does not give you this. Also Account Mgmt auditing does not give you OU auditing (as again Microsoft considers this to be a low level object).
In most companies it’s easy to turn on Auditing but very difficult to get it turned off and this is where Admins get themselves and others into a painful spot. How to prove what is not needed when Microsoft doesn’t document what the auditing does or doesn’t do.
Other examples:
msSFU30MailAliases – represents UNIX mail file data
nisMap – contains the generic abstraction of an NIS map
oncRpc – represents an abstraction of the Open Network Computing (ONC) Remote Procedure Call (RPC) binding
msRTCSIP-EdgeProxy – this attribute is reserved for future use
msRTCSIP-TrustedWebComponentsServerData – this attribute is reserved for future use”
Here are a few of the links where I pulled this data from:
http://msdn.microsoft.com/en-us/library/ms680938(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms985886(EXCHG.65).aspx
Audit Account Logon vs Audit Logon/Logoff
Over the past several years I’ve been explaining the diffence between these two audit polices. One is for logon/logoff events the other (Account Logon) is for authentication events. In the past few months I have had several people ask me to put together a blog entry covering these 2 audit polices. But I’ve found it rather painfull to put into a blog. Then a few weeks ago I found out that my employeer (Prism Microsystems) was hosting a webinar with Randy F. Smith and I was going to also be presenting. Well the webinar went smoothly today and so I have decided that instead of me doing a long lengthly blog entry I would just post a link to the recorded webinar. Enjoy and I hope you are able to gain more insight into these 2 Audit Policies.
More Info on Tracking Down File Deletes
Quite awhile ago I wrote a blog entry on Tracking Down File Deletes, it continues to be one of my most read blogs. I came across another blog entry that does a good job of explaining the same thing. The author is Ned Pyle, in his post he covers not only the Windows 2003 but also the Windows 2008 auditing so I thought I would share it with you.
IIS status code
Here is a link to some good information about the IIS status / sub-status codes for IIS 5 and 6.
Chris Crowe’s blog on IIS.
Detecting Insider Threats
Over the last few weeks I have been putting together a whitepaper on detecting insider threats (on a Windows network). The paper is finished and is available here. In the next few days I will be setting up a webinar that will cover this topic watch www.prismmicrosys.com for a link to the webinar.
Tips on Tracking Down a Hack Attempt
On Tuesday March 17, 2009 I conducted a webinar for Prism Microsystems on how Log Management can help you track down a hack attempt. Now I know there are multiple ways to hack a network, the purpose of this webinar was to show that if you are collecting the log data from ALL your sources, network equipment/Unix/Linux/Windows that you can track down these attempts very quickly. Log Management can also help you become more proactive vs always being reactive. Here is a link to the recorded version of the webinar, here is a link for the slides used in the webinar.
Windows 2008 and Vista Events
Big thanks to Eric Fitzgerald for posting some good info about the W2k8 and Vista events.
He put 2 great links in his latest blog, first is to Microsoft KB article with the W2k8 and Vista event events; found here. The second on is for the same info but in Excel format, found here.
Security Log Resource
This week has been a busy one for me. I have had several web training sessions and 2 onsite training sessions with customers this week. A question came up during one of onsites this week and I thought I would share it. The question was where did I get all my knowledge about the Windows Event Log and the various Event ID’s.
The answer is a simple 2 part answer. Part 1 –> Repetition, repetition, repetition. I have been analyizing event logs for more than 3 years now and before that I was a Sys Admin. Looking at the events day in and day you tend to get them stuck in your head. Part 2 –> Resources such as the information that I’ve learned from reading Randy F. Smith’s book and reviewing his course documentation and visiting his web site: www.ultimatewindowssecurity.com. I have put a link to a new feature on Randy’s site, WinSecWiki, under my Blogrolls. I also attend his webinars to get more info. Randy has good insite to the Security log. I have also had several conversations with Randy.
From time to time I will contribute to Randy’s Wiki, I will be posting under my first name on his site.
If anyone has any questions about Windows Events or the Windows Audit Policy feel free to ask.
Tracking Down Audit Policy Changes
Yesterday I held a webinar about how to track down changes to your Audit Policy. I have had several requests for the recorded session link from the people who attended. So I thought I would share the webinar with everyone else. To view the webinar please visit: http://www.prismmicrosys.com/Support/trainingDetails.php?id=116&a=view.html
For a list of my other upcoming webinars you can visit: http://www.prismmicrosys.com/webinars.php#Log%20Management%20Secrets
They are listed under the Log Management Secrets section. I will be conducting webinars each Tuesday at 1 pm Eastern Time on various topics relating to event log management and security. Please feel free to join in the webinars.
-
Archives
- December 2009 (1)
- November 2009 (1)
- October 2009 (1)
- September 2009 (1)
- August 2009 (1)
- May 2009 (3)
- April 2009 (1)
- March 2009 (2)
- February 2009 (4)
- September 2008 (1)
- August 2008 (1)
- June 2008 (1)
-
Categories
-
RSS
Entries RSS
Comments RSS
