RE: Monitoring logged on users
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Thu, 05 Jan 2006 03:03:55 GMT
HI Dave,
Welcome to SBS newsgroup.
Issue description:
==========
I understand that you want to monitor the who logon to the LAN and remotely
via OWA.
Analyzing and suggestion:
===========
Generally speaking, we have no special tools to monitor such issue, however
we can use IIS log and audit event to analyzing these issues, please refer
to my suggestion below:
Based on my research, if your users use OWA, there will be following event
in the event logs.
EventID 680
Source: security
Category: Account Logon
In addition, even ID 540, 552 and 576 will also be logged in to security
event logs.
With the information, you could know the users log time, but the source
computer will not be displayed since the client computer use IE to logon to
IIS pages. If you want to know more information about the IIS session, you
could use IIS logs.
1. Open Internet Information Services (IIS) console <Server name> right
click ''Default Web Site'' to choose ''Properties''.
2. Under the ''Web Site'' tab, check the option ''Enable Logging''.
3. With ''W3C Extended Log File Format'', click ''Properties''.
4. Under ''General Properties'', make sure ''Use local time for file naming
and rollover'' is CHECKED.
5. Switch to the ''Extended Properties'', and then select to enable All the
logging Options.
6. Click OK to apply the modification.
7. By Default, the log files are created in the
''%systemroot%\system32\logfiles\W3SVC1'' folder.
You could view more information through log files.
More info:
===========
1. In SBS today, we do audit failed and successful AD logons and OWA
logons are included here, but not currently distinguishable from other
logons. If you are concerned about password attacks, this is the right
place to look as these would not be limited to OWA. You could check the
event logs on clients to know when users log on and off if you are truly
concerned about knowing when people telecommute.
2. TS provides advanced auditing functionality that may be able to be
used here: Server Management->Advanced Management->Terminal Services
Configuration->Connections->Right click RDP-TCP->Properties->Permissions
tab->Advanced->Auditing tab->Add select a user from AD->OK-> Here you'll
see auditing you can perform around connections, etc.
3. You can update the RWW pages to run a script or write to the event
log each time someone logs in. For updating the RWW page, you may need to
develop it. However, we may consider this for the next version of SBS.
I am currently standing by for an update from you and would like to know
how things are going on your end. If you have any questions or concerns on
the recent information I've provided you, please don't hesitate to let me
know.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Monitoring logged on users
| thread-index: AcYRYymvkoYXPvU7QXeMS42KhLc/BQ==
| X-WBNR-Posting-Host: 80.42.186.72
| From: "=?Utf-8?B?cGNtYW4=?=" <pcman@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Monitoring logged on users
| Date: Wed, 4 Jan 2006 11:15:02 -0800
| Lines: 5
| Message-ID: <4768A48A-EA87-46B9-9A38-98EE8D8F1C65@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:234061
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi All
| We would like to monitor who is logged on to the SBS 2003 network both
| locally on the LAN and remotely via OWA. Can anyone tell me how to do
this.
| TIA
| Dave
|
.
- Follow-Ups:
- RE: Monitoring logged on users
- From: pcman
- RE: Monitoring logged on users
- Prev by Date: Determining Number of CALs in SBS 2000
- Next by Date: RE: Event ID: 2000 - MTA service
- Previous by thread: Determining Number of CALs in SBS 2000
- Next by thread: RE: Monitoring logged on users
- Index(es):
Relevant Pages
|
Loading
