The log monitoring of the Terminal Service will be reasons why the Terminal Service, which comes with the Microsoft Win2000 Server version is a tool based on the Remote Desktop Protocol (RDP), which is very fast. Very stable, it can be a good remote management software, but because this software is powerful and only protected by passwords, it is also very dangerous. Once the invader has an administrator password, it is possible to operate the remote server like this. (You don't need a high-profile NT command line skills, you don't need to write special scripts and programs, as long as you use the mouse to perform all system management operations, it is too convenient, it is too terrible). Although many people are using terminal services to perform remote management, it is not that everyone knows how to review the terminal service, and most terminal servers do not open the terminal login, in fact, open log review is very easy. , Open the remote control service configuration (Terminal Service Configration), click "Connect", right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP 5.0), select the bookmark "permission", click on the lower left corner "Advanced", see the "audit" above? Let's join an EveryOne group, which represents all users, then review his "Connect", "Disable", "Login" success and "login" And failure is enough, too much audit is not good, this review is recorded in the security log, you can view from the Manage Tools -> Log Viewer ". Who is the time I log in? Chu, but in the middle of the beauty is: this tattered play is actually not recording the client's IP (only the online user IP), but what the machine name of the Huawei records! If someone else gave a PIG machine name, you have to be His ridicule, I don't know how Microsoft think. It seems that I still can't depend on Microsoft. Let's come? Write a program, everything is done, will you C? Will not? VB? Nor? Delphi? ? ... What? What is your programming language? I have, after all, the system administrator is not a programmer, don't worry, I will give you a way, let's build a BAT file, called Tslog.bat, this file The IP used to record the login is as follows:
Time / T >> TSLOG.LOG
Netstat -n -p TCP │ Find ": 3389" >> TSLOG.LOG
START Explorer
Let me explain the meaning of this file:
The first line is the time to record the user's login. Time / T means direct return system time (if not / t, the system will wait for you to enter new time), then we use the symbol ">>" Into Tslog.log as the time field of the log;
The second line is the record of the user's IP address. NetStat is used to display a command to display the current network connection status. -N means that the IP and ports are displayed instead of the domain name, the protocol, and -ptcp is only the TCP protocol, and then we use the pipe symbol "│ "Output the result of this command to the Find command, look up the": 3389 "line from the output (this is the line of the IP of our customers, if you change the port of the terminal, this value must be made Corresponding changes), finally we also redirect this result to the log file tslog.log, so in the slog.log file, the record format is as follows: 22: 40
TCP 192.168.12.28:3389 192.168.10.123:4903 Establish
22:54
TCP 192.168.12.28:3389 192.168.12.29:1039 ESTABLISHED
That is to say as long as this TSLog.bat file is running, all IPs on the 3389 port will be recorded, so how to automatically run this batch file? We know that the terminal service allows us to customize the starting program for the user, in the terminal service configuration, we override the user's login script settings and specify the script that tslog.bat needs to open when logging in to the user, so each user is logged in. This script must be executed because the default script (equivalent to the shell environment) is Explorer (Explorer), so I add the command startexplorer of the boot Explorer at the last line of Tslog.bat, if not this line command, the user is There is no way to enter the desktop! Of course, if you only need to give your user-specific shell:
For example, cmd.exe or Word.exe You can also replace Start Explorer to any shell. This script can also have other ways, as a system administrator, you can freely play your imagination, freely use your own resources, such as writing a script to send each login user's IP to your own mailbox for important servers It is also a good way. Under normal circumstances, the general user does not look at the permissions of the terminal service settings, so he will not know that you have an IP auditing for the login, just put the TSLog.bat file and the TSLog.log file in a more hidden directory, but It is only a simple terminal service log policy, and there is not much security measures and permissions mechanism. If the server has higher security requirements, it still needs to be done by programming or purchasing intrusion monitoring software.
