Terminal server log

[RedFoxy]

Hi all!
I need to know if a windows 2003 SBS (the full version with SQL not the
standard version) logs Terminal server connections and where are the
logs, i need to know the ip address of a connection by terminal server
and if is possible, what they do like data transfer and similar, I'm
reading the event log of windows, but i don't foun anything of strange,
i found only some try of a terminal server connection that try to
connect some printers that server don't know and it haven't the right
drivers...
The windows 2003 server SBS is just installed, i haven't changed any
policy about log on and terminal server and windows have all windows
updated.

Thank's for all!

 

[S. Pidgorny]

Terminal Server logons can be found in the security log, logon type 10
(XP/W2K3 and up). This, and the rest, is subject to correct audit policy.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message
news:esdFq4bjIHA.6084@TK2MSFTNGP06.phx.gbl...
> Hi all!
> I need to know if a windows 2003 SBS (the full version with SQL not the
> standard version) logs Terminal server connections and where are the logs,
> i need to know the ip address of a connection by terminal server and if is
> possible, what they do like data transfer and similar, I'm reading the
> event log of windows, but i don't foun anything of strange, i found only
> some try of a terminal server connection that try to connect some printers
> that server don't know and it haven't the right drivers...
> The windows 2003 server SBS is just installed, i haven't changed any
> policy about log on and terminal server and windows have all windows
> updated.
>
> Thank's for all!

 

[RedFoxy]

S. Pidgorny <MVP> ha scritto:
> Terminal Server logons can be found in the security log, logon type 10
> (XP/W2K3 and up). This, and the rest, is subject to correct audit policy.
>

I've not changed anything about policy, the server is just installed,
and when i look at security event log i haven't logon type, i've only
type and another field called user

 

[S. Pidgorny]

Here's an example of a logon event:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 25/03/2008
Time: 9:08:25 PM
User: GETAWAY\Administrator
Computer: GETAWAY
Description:
Successful Logon:
User Name: Administrator
Domain: GETAWAY
Logon ID: (0x0,0x81B3160)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: GETAWAY
Logon GUID: -
Caller User Name: GETAWAY$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3880
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 4339


Note the logon type.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message
news:u7NmGgljIHA.6032@TK2MSFTNGP03.phx.gbl...
> S. Pidgorny <MVP> ha scritto:
>> Terminal Server logons can be found in the security log, logon type 10
>> (XP/W2K3 and up). This, and the rest, is subject to correct audit policy.
>>
>
> I've not changed anything about policy, the server is just installed, and
> when i look at security event log i haven't logon type, i've only type and
> another field called user

 

[RedFoxy]

S. Pidgorny <MVP> ha scritto:
> Here's an example of a logon event:
>
> Event Type: Success Audit


How can I see if i've the audit actived?

 

[S. Pidgorny]

Start - Administrative Tools - Local Security Policy
Security Settings - Local Policies - Audit Policy

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"RedFoxy" <redfoxy.nospam@redfoxy.it> wrote in message
news:%23sxGFGmjIHA.4536@TK2MSFTNGP06.phx.gbl...
> S. Pidgorny <MVP> ha scritto:
>> Here's an example of a logon event:
>>
>> Event Type: Success Audit
>
>
> How can I see if i've the audit actived?

 

[RedFoxy]

S. Pidgorny <MVP> ha scritto:
> Start - Administrative Tools - Local Security Policy
> Security Settings - Local Policies - Audit Policy
>
when i activate the audit... i don't found the connections in the event
log, and now that i've disabled the audit i don't found anymore new id
event 682 and 683 o.*