Re: Tracking RWW and Terminal Services Usage

Thanks,

That's what I was looking for with regard to RWW.

It seems like quite a large hole in the security monitoring that we have no
way to tell when someone has logged on with Terminal Services.


"John Chen [MSFT]" <v-jochen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:Xd0FQM%23UGHA.1764@xxxxxxxxxxxxxxxxxxxxxxxx
Hello Lesa,

Thank you for posting.

It appears that there is no build-in tool to track the specific logon
events in current product. But I believe you can accomplish the goal by
developing a specific application. So I suggest you repost the issue in
MSDN newsgroup for assistance. I have provided the link below:
http://msdn.microsoft.com/newsgroups/default.asp

Although we can not find an available method to track the logon event in
an
easier way, I'd like to share my experience with you here.

I think Event Log is the best location to track the logon events. If a
user
logon in RWW, you will find four entries in the security log. They are
680,
552, 540 and 576. If you logon via Terminal Service or Remote Desktop, the
552 event will not appear in the security log. So I suggest you search 552
events in the security log so that you can easily find 680 events below.
(Open Event Viewer->View->Find)

Regarding Terminal Service, I am afraid there is no handy solution we can
take.

Hope the information helps. Have a good day.

Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.



.

Relevant Pages

  • Re: Unusual logon / logoff Security event log
    ... I researched the MPS Report but didn't find the Security log. ... Click Services tab and select Hide All Microsoft Services and Disable ... and a logon GUID. ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS6 prompting for username and password
    ... Security log was full. ... > Logon Failure: ... > Caller User Name: NETWORK SERVICE ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to find out what computer a user logged in on.
    ... For a domain your best bet is to enable auditing of logon events in Domain ... Controller Security Policy and for domain computers enable auditing of logon ... security log quite a bit on your domain controllers to sat at least 10MB. ...
    (microsoft.public.win2000.security)
  • Re: tracking users login and logoff
    ... With PRO you can use Local Security Policy (Control Panel, ... Audit Account Logon Events Success and/or failure) ... Start, Run, Eventvwr.msc and look in the Security Log. ...
    (microsoft.public.windowsxp.customize)
  • Re: Event Viewer
    ... network" user right in Local Security Policy and reboot. ... error message on his computer when the application/process that needs authentication ... > Successful Network Logon: ... I seem to get an entry in my Security Log every time he ...
    (microsoft.public.win2000.security)
Quantcast