We are very excited about Terminal Services Log v2.6 release because it delivers some very interesting features for our existing and new customers.
One of the most interesting features is the ability to audit failure logons and file system actions. Audit logon events you can use to detect failure logons to your server, and detect hacker attacks and former employees failure logons. Terminal Services Log will report you user that is trying to logon, source IP address of the remote attacker and computer name of the attackers PC.
Auditing is a Windows Server feature that is being configured via Group Policy. Every audit event is being stored to the event log. We are using the information provided in the Event Log and combining it with existing data (user activities, applications being used…) to create a central monitoring station for your Terminal Services / Remote Desktop / Citrix farms.
Here is the info on how to turn on the logon failure audit events for your server(s). In order to enable Audit Logs you need to:
- Configure a Group Policy
- Enable Audit Log collection in the Terminal Services Log
Configuring Group Policy
There are two methods how you can apply group policy. Login to your Domain Controller and check if you have Group Policy Management in the Administrative Tools.
Configuring Group Policy for a domain WITHOUT Group Policy Management feature:
- Login to you Domain Controller with an account that has Domain Administrator privileges
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- On the View menu, click Advanced Features.
- Right-click Domain Controllers, and then click Properties.
- Click the Group Policy tab, click Default Domain Policy, and then click Edit.
- Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
- In the right pane, right-click Audit Logon Events, and then click Properties.
- Click Define These Policy Settings, and then click to select Failure
- Click OK.
- The changes you made will only take effect when the policy setting is propagated or applied to your computer. Complete either of the following steps to initiate policy propagation right now:
- Type gpupdate /force at the command prompt of a server and then press ENTER. The policy will be updated.
- Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.
Configuring Group Policy for a domain WITH Group Policy Management feature:
- Login to you Domain Controller with an account that has Domain Administrator privileges
- Click Start, point to Programs, point to Administrative Tools, and then click Group policy management
- Click Default Domain Policy, and then click Edit (in case you have special policy only for terminal servers select that policy)
- Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
- In the right pane, right-click Audit Logon Events, and then click Properties.
- Click Define These Policy Settings, and then click to select Failure
- Click OK.
The changes you made will only take effect when the policy setting is propagated or applied to your computer. Complete either of the following steps to initiate policy propagation right now:
- Type gpupdate /force at the command prompt of a server and then press ENTER. The policy will be updated.
Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.
Configuring Terminal Services Log
You need to enable collection of audit log data in the File > Preferences and you are good to go. Terminal Services Log will start to collect audit information from the event log on regular basis. Click here to check sample audit reports.
© Copyright 2008-2009 Acceleratio Ltd. · All Rights Reserved ·
[...] [...]