Terminal Service Log monitoring

There is a reason to separate the log monitoring of the Terminal Service (Terminal Service). The Terminal Service provided by Microsoft Win2000 Server is a tool based on the Remote Desktop Protocol (RDP, it is fast and stable, and can be a good remote management software, but it is also very dangerous because it is powerful and only protected by passwords, once the attacker has the administrator password, the attacker can operate the remote server like the local machine (no advanced NT command line skills, no special scripts or programs required, all system management operations can be performed with the mouse, which is too convenient and terrible ). Although many people are using terminal services for remote management, not everyone knows how to review Terminal Services. Most terminal servers do not have terminal login logs, in fact, it is very easy to open the log audit. In the management tool, open the Terminal Service Configration and click "Connect ", right-click the RDP service you want to configure (such as the RDP-TCP (Microsoft RDP 5.0), select the bookmarks "permission", click "advanced" in the lower left corner, see the above "Audit? Join an Everyone group, which represents all users, then, it is sufficient to review the "connection", "disconnected", "logout", and "login" successes and failures. If there are too many reviews, it is not good, this review is recorded in security logs and can be viewed in "Management Tools"-> "Log Viewer. Now, I know exactly when to log on to the client. However, what is lacking in the US is that this poor gameplay does not record the client's IP address (only the IP address of online users can be viewed ), it is a flashy recording of what machine name is! If someone else starts a PIG machine name, you have to be ridiculed by him. I don't know what Microsoft thinks. It seems that you still cannot rely entirely on Microsoft. Let's do it ourselves? Write a program and everything is done. Will you be C? No? What about VB? Or not? Delphi ?...... What? You don't know any programming language? I think, after all, the system administrator is not a programmer. Don't worry. I'll give you a solution. Let's create a bat file called TSLog. bat. This file is used to record the IP address of the publisher. The content is as follows:
Time/t> TSLog. log
Netstat-n-p tcp │ find ": 3389"> TSLog. log
Start Explorer

Let me explain the meaning of this file:

The first line is to record the User Logon time. time/t means that the system time is returned directly (if/t is not added, the system will wait for you to enter a new time ), then, we use the append symbol ">" to record the time To TSLog. log is used as the log time field;

The second line is to record the user's IP address. netstat is a command used to display the current network connection status.-n indicates that the IP address and port are displayed instead of the domain name and protocol.-ptcp indicates that only the tcp protocol is displayed, then, we use the pipeline symbol "│" to output the result of this command to the find command and find the result that contains ": 3389 "(this is the line where the customer's IP address is located. If you change the port of the Terminal Service, the value must be changed accordingly ), finally, we also redirect this result to the log file TSLog. log, so in SLog. in the log file, the record format is as follows:

22: 40
TCP 192.168.12.28: 3389 192.168.10.123: 4903 ESTABLISHED
22: 54
TCP/IP 192.168.12.28: 3389 192.168.12.29: 1039 ESTABLISHED

That is to say, as long as the TSLog. bat file is run, all IP addresses connected to port 3389 will be recorded. How can this batch file be automatically run? We know that the terminal service allows us to customize the starting program for the user. In the terminal service configuration, We overwrite the user's login script settings and specify TSLog. bat is the script to be opened when a user logs on, so that each user must execute this script after logon, because the default script (equivalent to the shell environment) is Explorer (Resource Manager ), so I am in TSLog. the last line of bat added the startExplorer command to start Explorer. If this command is not added, you cannot enter the desktop! Of course, if you only need to give the user a specific Shell:

For example, you can replace start Explorer with any shell. This script can also be written in other ways. As a system administrator, you can use your imagination and resources freely, for example, writing a script to send the IP address of each login user to its mailbox is also a good method for important servers. Under normal circumstances, a user does not have the permission to view the terminal service settings, so he does not know that you have performed IP review on the logon, as long as the TSLog. bat file and TSLog. it is enough to put the log file in a relatively hidden directory. However, it should be noted that this is only a simple Terminal Service log Policy, and there are not many security measures and permission mechanisms, if the server has higher security requirements, you still need to program or purchase intrusion monitoring software.