Actually, Win2k3 does log the IP- that long-awaited feature was implemented
for other logon-types as well, such as remote NetBIOS connections. I think
what Erik is remembering is the fact that Mark determined that the Win2k3
logging mechanism retrieves the IP address from the RDP protocol, not from
the IP stack. IOW, it is possible to "spoof" the client IP in the terminal
server logon log if you futz with RDP.
I tried to figure out how to do that in TSGrinder, but I'm just not smart
enough. Looks like I'll have to put Ryan back on the payroll ;)
t
----- Original Message -----
From: "Erik Birkholz" <erik (at) foundstone (dot) com [email concealed]>
To: <alexandre (at) secrel.net (dot) br [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Friday, October 24, 2003 1:13 PM
Subject: Re: Terminal Services Auditing?
It doesn't log the source IP for each connection. Mark Burnett wrote a good
article about supplementing this short-coming using a tool called Zebedee.
You can find the article on SecurityFocus.com
Apparently this is not available functionality in Win2003 TS either. I
haven't tested this yet.
Erik
---------------------------------------
(Msg from BlackBerry Wireless Handheld)
---------------------------------------
Erik Pace Birkholz - CISSP, MCSE
Foundstone, Inc.
Strategic Security
Read Special Ops and mount an assault to eradicate network negligence today.
www.SpecialOpsSeries.com
-----Original Message-----
From: alexandre <alexandre (at) secrel.net (dot) br [email concealed]>
To: focus-ms (at) securityfocus (dot) com [email concealed] <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Fri Oct 24 10:05:19 2003
Subject: Terminal Services Auditing?
Hi all,
continuing the TS subject, I think that someone is having access to one of
my servers thru Terminal Services... anyone know how can I audit these TS
logins?? I looked at the events but didn't find any ip logged.
Thanks
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
for other logon-types as well, such as remote NetBIOS connections. I think
what Erik is remembering is the fact that Mark determined that the Win2k3
logging mechanism retrieves the IP address from the RDP protocol, not from
the IP stack. IOW, it is possible to "spoof" the client IP in the terminal
server logon log if you futz with RDP.
I tried to figure out how to do that in TSGrinder, but I'm just not smart
enough. Looks like I'll have to put Ryan back on the payroll ;)
t
----- Original Message -----
From: "Erik Birkholz" <erik (at) foundstone (dot) com [email concealed]>
To: <alexandre (at) secrel.net (dot) br [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Friday, October 24, 2003 1:13 PM
Subject: Re: Terminal Services Auditing?
It doesn't log the source IP for each connection. Mark Burnett wrote a good
article about supplementing this short-coming using a tool called Zebedee.
You can find the article on SecurityFocus.com
Apparently this is not available functionality in Win2003 TS either. I
haven't tested this yet.
Erik
---------------------------------------
(Msg from BlackBerry Wireless Handheld)
---------------------------------------
Erik Pace Birkholz - CISSP, MCSE
Foundstone, Inc.
Strategic Security
Read Special Ops and mount an assault to eradicate network negligence today.
www.SpecialOpsSeries.com
[Tel] 949.297.5591
[Cel] 323.252.5916
[Fax] 949.297.5575
[pgp] https://www.foundstone.com/pgpkeys/erik-birkholz.asc
-----Original Message-----
From: alexandre <alexandre (at) secrel.net (dot) br [email concealed]>
To: focus-ms (at) securityfocus (dot) com [email concealed] <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Fri Oct 24 10:05:19 2003
Subject: Terminal Services Auditing?
Hi all,
continuing the TS subject, I think that someone is having access to one of
my servers thru Terminal Services... anyone know how can I audit these TS
logins?? I looked at the events but didn't find any ip logged.
Thanks
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
------------------------------------------------------------------------
---
[ reply ]