Terminal server log

R

RedFoxy

Guest
Hi all!

I need to know if a windows 2003 SBS (the full version with SQL not the

standard version) logs Terminal server connections and where are the

logs, i need to know the ip address of a connection by terminal server

and if is possible, what they do like data transfer and similar, I'm

reading the event log of windows, but i don't foun anything of strange,

i found only some try of a terminal server connection that try to

connect some printers that server don't know and it haven't the right

drivers...

The windows 2003 server SBS is just installed, i haven't changed any

policy about log on and terminal server and windows have all windows

updated.

Thank's for all!

 
S

S. Pidgorny

Guest
Terminal Server logons can be found in the security log, logon type 10

(XP/W2K3 and up). This, and the rest, is subject to correct audit policy.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message

news:esdFq4bjIHA.6084@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Hi all!

> I need to know if a windows 2003 SBS (the full version with SQL not the

> standard version) logs Terminal server connections and where are the logs,

> i need to know the ip address of a connection by terminal server and if is

> possible, what they do like data transfer and similar, I'm reading the

> event log of windows, but i don't foun anything of strange, i found only

> some try of a terminal server connection that try to connect some printers

> that server don't know and it haven't the right drivers...

> The windows 2003 server SBS is just installed, i haven't changed any

> policy about log on and terminal server and windows have all windows

> updated.

>

> Thank's for all! </span>

 
R

RedFoxy

Guest
S. Pidgorny <MVP> ha scritto:<span style="color:blue">

> Terminal Server logons can be found in the security log, logon type 10

> (XP/W2K3 and up). This, and the rest, is subject to correct audit policy.

> </span>

I've not changed anything about policy, the server is just installed,

and when i look at security event log i haven't logon type, i've only

type and another field called user

 
S

S. Pidgorny

Guest
Here's an example of a logon event:

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 528

Date: 25/03/2008

Time: 9:08:25 PM

User: GETAWAY\Administrator

Computer: GETAWAY

Description:

Successful Logon:

User Name: Administrator

Domain: GETAWAY

Logon ID: (0x0,0x81B3160)

Logon Type: 10

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: GETAWAY

Logon GUID: -

Caller User Name: GETAWAY$

Caller Domain: WORKGROUP

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 3880

Transited Services: -

Source Network Address: 127.0.0.1

Source Port: 4339

Note the logon type.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message

news:u7NmGgljIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> S. Pidgorny <MVP> ha scritto:<span style="color:green">

>> Terminal Server logons can be found in the security log, logon type 10

>> (XP/W2K3 and up). This, and the rest, is subject to correct audit policy.

>></span>

>

> I've not changed anything about policy, the server is just installed, and

> when i look at security event log i haven't logon type, i've only type and

> another field called user </span>

 
R

RedFoxy

Guest
S. Pidgorny <MVP> ha scritto:<span style="color:blue">

> Here's an example of a logon event:

>

> Event Type: Success Audit</span>

How can I see if i've the audit actived?

 
S

S. Pidgorny

Guest
Start - Administrative Tools - Local Security Policy

Security Settings - Local Policies - Audit Policy

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message

news:%23sxGFGmjIHA.4536@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> S. Pidgorny <MVP> ha scritto:<span style="color:green">

>> Here's an example of a logon event:

>>

>> Event Type: Success Audit</span>

>

>

> How can I see if i've the audit actived? </span>

 
R

RedFoxy

Guest
S. Pidgorny <MVP> ha scritto:<span style="color:blue">

> Start - Administrative Tools - Local Security Policy

> Security Settings - Local Policies - Audit Policy

> </span>

when i activate the audit... i don't found the connections in the event

log, and now that i've disabled the audit i don't found anymore new id

event 682 and 683 o.

 
You must log in or register to reply here.
Top Bottom