|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Terminal Services Auditing?
From: Thor (thor
hammerofgod.com)
Date: Mon Oct 27 2003 - 14:55:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Win2003 Server *does* indeed log the client IP for terminal services/remote
desktop. It is logon type 10, and it logs the IP under
"SourceNetworkAddress." Of course, you have to have to enable auditing of
logons in the event logs....
T
----- Original Message -----
From: "Kamran Muzaffer" <kmahmedcyber.net.pk>
To: "Erik Birkholz" <erikfoundstone.com>; <alexandresecrel.net.br>;
<focus-mssecurityfocus.com>
Sent: Saturday, October 25, 2003 8:13 AM
Subject: RE: Terminal Services Auditing?
I have worked on MS Terminal Services both on Win2k and Win 20003
server. Both of them lack the functionality of logging the IPs or
displaying them in 'Terminal Services Manager' snap-in.
One thing I did notice is that, if you look into the TERMINAL SERVICES
MANAGER > SESSIONS snap-in it does resolve the hostnames of the machines
whose records are present in your default name servers.
Regards,
Kamran Muzaffer
-----Original Message-----
From: Erik Birkholz [mailto:erikfoundstone.com]
Sent: Saturday, October 25, 2003 1:13 AM
To: alexandresecrel.net.br; focus-mssecurityfocus.com
Subject: Re: Terminal Services Auditing?
It doesn't log the source IP for each connection. Mark Burnett wrote a
good article about supplementing this short-coming using a tool called
Zebedee. You can find the article on SecurityFocus.com
Apparently this is not available functionality in Win2003 TS either. I
haven't tested this yet.
Erik
---------------------------------------
(Msg from BlackBerry Wireless Handheld)
---------------------------------------
Erik Pace Birkholz - CISSP, MCSE
Foundstone, Inc.
Strategic Security
Read Special Ops and mount an assault to eradicate network negligence
today. www.SpecialOpsSeries.com
[Tel] 949.297.5591
[Cel] 323.252.5916
[Fax] 949.297.5575
[pgp] https://www.foundstone.com/pgpkeys/erik-birkholz.asc
-----Original Message-----
From: alexandre <alexandresecrel.net.br>
To: focus-mssecurityfocus.com <focus-mssecurityfocus.com>
Sent: Fri Oct 24 10:05:19 2003
Subject: Terminal Services Auditing?
Hi all,
continuing the TS subject, I think that someone is having access to one
of
my servers thru Terminal Services... anyone know how can I audit these
TS
logins?? I looked at the events but didn't find any ip logged.
Thanks
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]