Microsoft

Retrieve the computer account of RDP sessions

While it's easy to figure out a username for RDP connections, it can be tricky to ascertain the session's origin. Here's a tip on how to determine the source system for RDP connections.

I'll admit it: My personal lab was hacked. At the time, I had the remote desktop protocol (RDP) as my interim remote access solution. I found that the system permitted to accept connections from the outside had successfully authenticated to the system. Fortunately, there was no data loss, and it seems the biggest impact was a browser session used as a proxy. I've done a number of things to prevent this from happening again. In this tip, I'll share a few steps I now use to determine where these connections originated.

The good news is that Windows by default will tell you enough information to at least get the source IP address and, in some cases, the computer name of the connection. For my incident, this Windows Security Log entry highlights the computer NetBIOS name and source IP address of the connection.

The 682 Event ID on Windows Server 2003 (Figure A) will tell me all I need to know about the connection: the source connection's computer name (which is Russian) and the IP address. I used the IP2Location tool to determine where the IP address originated; in this case, it was from a Russian ISP. Figure A

For Windows Server 2008 systems using Network Level Authentication (NLA), you'll only see the IP address for default configurations. The Event ID 4624 entry in the Security log (Figure B) will show what source made the connection. Figure B

Click the image to enlarge.

It would be a good idea to review these events to ensure that your RDP connections are successfully authenticated from desired systems and IP networks.

How do you track RDP connections? Let us know in the discussion.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

16 comments
NetworkDiva
NetworkDiva

Thank you for the information I have just learned something new.

abb314
abb314

I'm running Windows Server 2003 for our work server and I RDP to it frequently. I just opened up the event viewer and I don't see any events with a "Logon/Logoff" category. Is this something I need to turn on tracking for?

RayG314
RayG314

How was the Russian hacker able to connect? Didn't he/she need to know an authorized account and password on the target computer? What was your security response?

The 'G-Man.'
The 'G-Man.'

The users that can use RDP have a login script that sends an e-mail when they login. That way the e-mail account set for tracking gets notifications.

Greybeard770
Greybeard770

I have this in my login script IF %SESSIONNAME%==Console %LOGONSERVER%\NETLOGON\logevent -s I -e 10 -r "Login by %username%" -t 5000 "User %username% logged In Locally. " IF NOT %SESSIONNAME%==Console %LOGONSERVER%\NETLOGON\logevent -s I -e 10 -r "Login by %username%" -t 5000 "User %username% logged In from %clientname% Session %SESSIONNAME%. " It puts entries in the Application Log. EVENTCREATE also works well.

b4real
b4real

You don't have it? Maybe the logging verbosity needs to be increased.

b4real
b4real

I had RDP open as a temporary backdoor on the open Internet. I'm guilty of that (acknowledged). As for the credentials, it was either brute forced or guessed. My response was to turn RDP off as it was, implement a much stronger set of credentials, and use a password lockout policy through AD.

b4real
b4real

That would be quite easy to set with Group Policy. But, I do it all the time, so it would be somewhat irritating for the many authorized times I do it.

Neon Samurai
Neon Samurai

I have a similar hack for monitoring a few machines that pass data through. The email would flood out my inbox so I just set a filtering rule that moves specific email to a separate folder. Keeps it out of the way but available for reference.

b4real
b4real

But is not in use.

b4real
b4real

That is good. Except I want to use it from anywhere, so I can't quite limit it to a traffic pattern. But, layer 3 protection like that is a big, big step. Good idea.

The 'G-Man.'
The 'G-Man.'

I know their incoming IP address and port so the firewall is set that way along with access over a VPN connection.

b4real
b4real

Other than the built in encryption level high and NLA on WVista/Server2008 or higher?

The 'G-Man.'
The 'G-Man.'

I've a few applications that have external specialist support via secured RDP to the servers. Although the logins are tight on security anyway I like to keep a track of when the support persons use them.

Editor's Picks