Terminal server log

  • Thread starter Thread starter RedFoxy
  • Start date Start date
R

RedFoxy

Hi all!
I need to know if a windows 2003 SBS (the full version with SQL not the
standard version) logs Terminal server connections and where are the
logs, i need to know the ip address of a connection by terminal server
and if is possible, what they do like data transfer and similar, I'm
reading the event log of windows, but i don't foun anything of strange,
i found only some try of a terminal server connection that try to
connect some printers that server don't know and it haven't the right
drivers...
The windows 2003 server SBS is just installed, i haven't changed any
policy about log on and terminal server and windows have all windows
updated.

Thank's for all!
 
Terminal Server logons can be found in the security log, logon type 10
(XP/W2K3 and up). This, and the rest, is subject to correct audit policy.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message
news:esdFq4bjIHA.6084@TK2MSFTNGP06.phx.gbl...
> Hi all!
> I need to know if a windows 2003 SBS (the full version with SQL not the
> standard version) logs Terminal server connections and where are the logs,
> i need to know the ip address of a connection by terminal server and if is
> possible, what they do like data transfer and similar, I'm reading the
> event log of windows, but i don't foun anything of strange, i found only
> some try of a terminal server connection that try to connect some printers
> that server don't know and it haven't the right drivers...
> The windows 2003 server SBS is just installed, i haven't changed any
> policy about log on and terminal server and windows have all windows
> updated.
>
> Thank's for all!
 
S. Pidgorny <MVP> ha scritto:
> Terminal Server logons can be found in the security log, logon type 10
> (XP/W2K3 and up). This, and the rest, is subject to correct audit policy.
>

I've not changed anything about policy, the server is just installed,
and when i look at security event log i haven't logon type, i've only
type and another field called user
 
Here's an example of a logon event:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 25/03/2008
Time: 9:08:25 PM
User: GETAWAY\Administrator
Computer: GETAWAY
Description:
Successful Logon:
User Name: Administrator
Domain: GETAWAY
Logon ID: (0x0,0x81B3160)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: GETAWAY
Logon GUID: -
Caller User Name: GETAWAY$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3880
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 4339


Note the logon type.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message
news:u7NmGgljIHA.6032@TK2MSFTNGP03.phx.gbl...
> S. Pidgorny <MVP> ha scritto:
>> Terminal Server logons can be found in the security log, logon type 10
>> (XP/W2K3 and up). This, and the rest, is subject to correct audit policy.
>>
>
> I've not changed anything about policy, the server is just installed, and
> when i look at security event log i haven't logon type, i've only type and
> another field called user
 
S. Pidgorny <MVP> ha scritto:
> Here's an example of a logon event:
>
> Event Type: Success Audit


How can I see if i've the audit actived?
 
Start - Administrative Tools - Local Security Policy
Security Settings - Local Policies - Audit Policy

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message
news:%23sxGFGmjIHA.4536@TK2MSFTNGP06.phx.gbl...
> S. Pidgorny <MVP> ha scritto:
>> Here's an example of a logon event:
>>
>> Event Type: Success Audit
>
>
> How can I see if i've the audit actived?
 
S. Pidgorny <MVP> ha scritto:
> Start - Administrative Tools - Local Security Policy
> Security Settings - Local Policies - Audit Policy
>
when i activate the audit... i don't found the connections in the event
log, and now that i've disabled the audit i don't found anymore new id
event 682 and 683 o.*
 
Back
Top