The record issue has aroused discussions among several friends. Can I record the log? Under what circumstances can logs be recorded?
Shunshoudid the following tests
Here we will first explain:
My server name: ABUSERVER
My own client name: ABUPC13
IP address of my own client: 192.168.0.13
Account used for Logon: Administrator
Enable in Local Security Policy: Audit Logon Events
Test 1:
Log on to the server as a terminal service and log out normally. view the security audit log as follows:
Logon successful:
User name: Administrator
Domain: ABUSERVER
Logon ID: (0x0, 0x1D0B52)
Logon type: 2
Logon Process: User32
Authentication package: Negotiate
Work Station Name: ABUSERVER
User logout:
User name: Administrator
Domain: ABUSERVER
Logon ID: (0x0, 0x1D0B52)
Logon type: 2
It's strange, because I didn't see my own IP address or machine name recorded. In addition
Recorded site name: ABUSERVER (this is not the name of the server)
Test 2:
After logging on to the server normally, select disconnect to temporarily interrupt the current session, and then use the client to connect to the server again. In the security log
The following records are displayed:
Session disconnection from winstation:
User name: administrator
Domain: ABUSERVER
Logon ID: (0x0, 0x1D0B52)
Session name: Unknown
Client name: ABUPC13
Client address: 192.168.0.13
The session is reconnected to winstation:
User name: administrator
Domain: ABUSERVER
Logon ID: (0x0, 0x1BE7BA)
Session name: RDP-Tcp #7
Client name: ABUPC13
Client address: 192.168.0.13
This time, both the client name and the IP address were recorded.
Test 3:
Connect to the server normally, enter the wrong password, and then enter the password 6th times (default security configuration). The terminal service window is closed.
After reconnecting to log on, check the following logs:
In the system log:
The remote session from the client name ABUPC13 exceeds the maximum number of Logon failures allowed. The session is forcibly terminated.
In the security log:
Logon Failed:
Cause: Unknown user name or incorrect password
User name: administrator
Domain: ABUSERVER
Logon type: 2
Logon Process: User32
Authentication package: Negotiate
Work Station Name: ABUSERVER
At this point, we have analyzed the log record effects of logging on to the terminal server in various environments.
In this case, is it clear a lot? Haha
Some may wonder why in the first log record, the site name is also the name of the server, not the name of the client I used to log on.
The reason is that when you log on to a terminal, the system actually logs on using a virtual desktop or a local login.
User records.
So the summary is as follows:
1. When a user logs on to the server as a terminal, if the user Exits normally, your IP address and machine name will not be recorded in the log on the server.
2. When a user logs on as a terminal and then suffers another interruption, the system will record the IP address and machine name of the client.
3. When the connection is terminated due to incorrect password input, the machine name of the client is left in the system log.
Well, at last I went on to get some recorded IP addresses.
When the system records the Client IP address in the terminal mode, if your client is in a LAN and accesses the server through a transparent gateway,
The IP address left on the server is also your intranet IP address. It seems that relying solely on Microsoft's log records will inevitably lead to omissions.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
