We have our service accounts set via GPO so that they can't log on interactively or via RDP. However some (admittedly poor) software goes belly-up without the Interactive Logon right
On 11/06/2008, James Winzenz <[EMAIL PROTECTED]> wrote: > > We do have that set up in our audit policy, and the logon was indeed a > 528; the problem was that the guy didn't use his own account. He also had > no business doing what he did. Luckily the terminal services logon event > provided the ip address that connected, so we were able to track it down to > the person who did it and report them. As to what happens now, anyone's > guess. I highly doubt he will be fired, although if it were me, that is > what I would recommend, due to the nature of the account he used and the > actions he took. At least we are going to be able to get rid of another > generic account . . . > > > > James Winzenz > > Infrastructure Systems Engineer II - Security > > Pulte Homes Information Services > > > ------------------------------ > > *From:* Bob Fronk [mailto:[EMAIL PROTECTED] > *Posted At:* Monday, June 09, 2008 10:40 AM > *Posted To:* NTSysadmin > *Conversation:* RDP question > *Subject:* RE: RDP question > > > The default.rdp will help, but for future, you probably need to set a GPO > to audit logon events. If this already exists, just look on the security > log for the event. (I think it is 528, but from memory so not positive) > > > > Bob Fronk > > [EMAIL PROTECTED] > > > > *From:* James Winzenz [mailto:[EMAIL PROTECTED] > *Sent:* Monday, June 09, 2008 1:07 PM > *To:* NT System Admin Issues > *Subject:* RDP question > > > > RDP question for everyone – is there a file on the client (log or other > file type) that shows a client's most recent rdp sessions? When I click on > my remote desktop connection, it always shows me my the name of the last > server I RDP'd into, but I am looking to see if that is stored somewhere on > the local computer. We had some inappropriate activity using a service > account and don't yet have enough information to prove that a certain person > did something they should not have. The more information I can obtain, the > better. The client was XP Pro SP2, if that helps any. I have viewed the > event logs on the server they logged into, and it unfortunately does not > provide the computer name that connected to it, just the IP address. I want > irrefutable proof, and this, in combination with the DHCP logs, does not > quite provide that. I have been unable to find anything yet in Google using > multiple different search strings. > > > > Thanks, > > > > James Winzenz > > Infrastructure Systems Engineer II - Security > > Pulte Homes Information Services > > Telefax: (602) 797-5823 > > * * > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by email and delete the message and any file attachments from your > computer. Thank you. > > > > > > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by email and delete the message and any file attachments from your > computer. Thank you. > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
<<image002.gif>>
