Audit RDP Logon but not ICA Logon

P

Paul Bergson

I have failed miserably so far in my attempt to audit remote connections to
Windows 2000 boxes that host Citrix. My goal is to only see connections via
RDP not Citrix session connections. I have tried logging all logons, which
produce 528 Events but then you can't tell if it is a ICA or RDP connection.

So I tried removing local auditing and auditing on the server level and
setting auditing on the RDP connection from within Terminal Services
Configuration. No luck. I went back and tried all the possible combinations
and again had no luck.

Short of hatching a program and having it generate a log in the event log I
can't find a way to determine when a user authenticates on RDP only.

Anyone ever had success on something like this?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
P

Pegasus \(MVP\)

Paul Bergson said:
I have failed miserably so far in my attempt to audit remote connections to
Windows 2000 boxes that host Citrix. My goal is to only see connections via
RDP not Citrix session connections. I have tried logging all logons, which
produce 528 Events but then you can't tell if it is a ICA or RDP connection.

So I tried removing local auditing and auditing on the server level and
setting auditing on the RDP connection from within Terminal Services
Configuration. No luck. I went back and tried all the possible combinations
and again had no luck.

Short of hatching a program and having it generate a log in the event log I
can't find a way to determine when a user authenticates on RDP only.

Anyone ever had success on something like this?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...

You can insert a line into the logon script that checks
environmental variables such as %SessionName%, then
generates a logon event.
 
P

Paul Bergson

Yeah, that is the only thing I can see right now but had hoped to not have
to place anything in such as that, but alas I think that is my only option.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
C

Cláudio Rodrigues

Depends on what you are looking for, check RecordTS that we will be
officially releasing in Las Vegas in November at the WinConnections expo.
It records all RDP sessions like a VCR so you can watch later.
It is auditing on steroids.

--

Cláudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Citrix ICA slow, RDP works great. 1
RDP client on Wyse terminal session 1
Terminal services/Citrix (Cut and Paste issues) 1
TermService Event ID 1004 1
RDP 5.0 not available on Win 2000 Server 1
Missing library in Object Browser 3
Update Services not going to local server 8
Exchange 2003/Outlook 2003 and the Global Catalog 8

Top