Announcement

Collapse
No announcement yet.

Monitoring Terminal Server sessions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Monitoring Terminal Server sessions

    Hi, guys.
    I have some strange behavior on my TS servers lately… Users that log in without the policy applied, processes that behave awkward… I checked the logs and came up with some strange doings of users… Not always the same user, but that doesn't mean anything. I have thin clients as stations and each of them with its username.
    Two days ago I had the luck to monitor one of the servers when I noticed a high CPU. Checked what was causing it and saw it was IE of an user. At the beginning I thought it is some Flash or a game, but still, I went to that TC to see.
    I found a guy messing with the server, through some tools from a hacking site. When I approached him and confronted him, he quickly turned off the TC, so couldn't see where he was and what he did. Useless to say I was worried. Especially because I couldn't know what he did, so I couldn't take counter-measures.
    I know that being in a public institution and securing your systems is a Sisyphean job, but I would like to know I did my best.
    After all this whining, the question is: does anyone knows a tool that allows monitoring of what users are doing on a TS server? Or any forensic tool that can show me on the aftermath what was done?
    Hardening the servers more than they are today will be tough, since we're talking here about an academic institution…

    TIA.

    Sorin Solomon

    »»»»»
    In order to succeed, your desire for success should be greater than your fear of failure.
    -
    «««««

  • #2
    Re: Monitoring TS sessions

    Queue Daniel

    http://www.petri.co.il/my-new-job-vp...-recording.htm

    Sorinso, there is also a thread about this in the Mods Forum!

    also check out the following thread:

    http://forums.petri.com/showthread.php?t=6961

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Monitoring TS sessions

      10nx, Michael.
      I didn't see the forest because all the trees ...
      I'll take a look.
      Last edited by sorinso; 31st March 2008, 11:54. Reason: typos ...

      Sorin Solomon

      »»»»»
      In order to succeed, your desire for success should be greater than your fear of failure.
      -
      «««««

      Comment


      • #4
        Re: Monitoring TS sessions

        Sorin, you missed my post about ObserveIT (see Michael's link above).

        I will post some information here, feel free to contact me if you've got more questions.

        ObserveIT is a software that allows monitoring and auditing of human actions done on servers and workstations, either by logging to the console of the server, or on a TS/RDP and Citrix sessions. It indexes all the screenshots and adds metadata containing information about each separate screenshot. This allows for easy textual searches through the database.

        In your case, if you suspect that one of your users made changes on one of your servers, you can easily perform a search of all the human interactions with that server during the previous X hours/days, and easily see what where the actions that were performed on the server. Clicking on the action will bring you to the exact point in time of the captured video, allowing you to see exactly what that user did, and what he did right before and after that point.

        Although not as useful for smaller environments, larger enterprises have an additional benefit. With ObserveIT you can easily search for all the similar actions that the user performed across your entire enterprise, because you may rightfully assume that if he did it once, he might have done it again elsewhere. This feature allows you to be sure he did not do it, and if he did, you can easily find out about it BEFORE your servers go down due to this misconfiguration.

        There are many more features and even more are planned in the product's roadmap. In the meantime you can download a 15-day fully functional copy + 5 agents, and you can easily install it on your servers.

        So, if any of you guys are interested in learning more, or even of getting a demo set up for you wherever you guys work, contact me and I'll set you up. Trust me, once you see it work, you will want it!

        www.observeit-sys.com
        Last edited by danielp; 22nd March 2009, 13:22.
        Cheers,

        Daniel Petri
        Microsoft Most Valuable Professional - Active Directory Directory Services
        MCSA/E, MCTS, MCITP, MCT

        Comment

        Working...
        X