I’ll admit it: My personal lab was hacked. At the time, I had the remote desktop protocol (RDP) as my interim remote access solution. I found that the system permitted to accept connections from the outside had successfully authenticated to the system. Fortunately, there was no data loss, and it seems the biggest impact was a browser session used as a proxy. I’ve done a number of things to prevent this from happening again. In this tip, I’ll share a few steps I now use to determine where these connections originated.

The good news is that Windows by default will tell you enough information to at least get the source IP address and, in some cases, the computer name of the connection. For my incident, this Windows Security Log entry highlights the computer NetBIOS name and source IP address of the connection.

The 682 Event ID on Windows Server 2003 (Figure A) will tell me all I need to know about the connection: the source connection’s computer name (which is Russian) and the IP address. I used the IP2Location tool to determine where the IP address originated; in this case, it was from a Russian ISP.
Figure A

For Windows Server 2008 systems using Network Level Authentication (NLA), you’ll only see the IP address for default configurations. The Event ID 4624 entry in the Security log (Figure B) will show what source made the connection.
Figure B

Click the image to enlarge.

It would be a good idea to review these events to ensure that your RDP connections are successfully authenticated from desired systems and IP networks.

How do you track RDP connections? Let us know in the discussion.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!