James, This kind of stuff intrigues me. Without giving up details can you tell us what he was doing and what type of account he was exploiting?
Many times I have found issues in my own setup listening to what is vulnerable on other networks. Thanks Troy From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2008 3:26 PM To: NT System Admin Issues Subject: RE: RDP question We do have that set up in our audit policy, and the logon was indeed a 528; the problem was that the guy didn't use his own account. He also had no business doing what he did. Luckily the terminal services logon event provided the ip address that connected, so we were able to track it down to the person who did it and report them. As to what happens now, anyone's guess. I highly doubt he will be fired, although if it were me, that is what I would recommend, due to the nature of the account he used and the actions he took. At least we are going to be able to get rid of another generic account . . . James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services ________________________________ From: Bob Fronk [mailto:[EMAIL PROTECTED] Posted At: Monday, June 09, 2008 10:40 AM Posted To: NTSysadmin Conversation: RDP question Subject: RE: RDP question The default.rdp will help, but for future, you probably need to set a GPO to audit logon events. If this already exists, just look on the security log for the event. (I think it is 528, but from memory so not positive) Bob Fronk [EMAIL PROTECTED] From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2008 1:07 PM To: NT System Admin Issues Subject: RDP question RDP question for everyone - is there a file on the client (log or other file type) that shows a client's most recent rdp sessions? When I click on my remote desktop connection, it always shows me my the name of the last server I RDP'd into, but I am looking to see if that is stored somewhere on the local computer. We had some inappropriate activity using a service account and don't yet have enough information to prove that a certain person did something they should not have. The more information I can obtain, the better. The client was XP Pro SP2, if that helps any. I have viewed the event logs on the server they logged into, and it unfortunately does not provide the computer name that connected to it, just the IP address. I want irrefutable proof, and this, in combination with the DHCP logs, does not quite provide that. I have been unable to find anything yet in Google using multiple different search strings. Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services Telefax: (602) 797-5823 [cid:[email protected]] CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
<<inline: image001.gif>>
