How to log the IP that connects from outside of company to terminal server?
We have users RDP to company's terminal servers. Is there a way that I can track the ip address outside of company where users connect from?
I know there are logs avaliable under under terminal services in event log, but I dont see any public ip address in there for remote connection from outside of company.
Any idea?
Your question do not provide information about how users connects to your terminal server from outside. I suppose that there is gateway in your company, that redirect requests from the internet to terminal server. If so, you can get this information in gateway log.
If however your terminal server is connected to the Internet directly and have public IP for some reasons, perhaps, this is what can help you:
<#
Features:
1) This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV.
Instructions:
1) Before you run, edit this line to include one or several of your own servers.
Requirements:
1) TBD
April 8 2015 - Version 0.2
Mike Crowley
http://BaselineTechnologies.com
#>
$SessionHosts = @('Server2', 'Server3', 'Server4', 'Server5')
foreach ($Server in $SessionHosts) {
$LogFilter = @{
LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID = 21, 23, 24, 25
}
$AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server
$AllEntries | Foreach {
$entry = [xml]$_.ToXml()
[array]$Output += New-Object PSObject -Property @{
TimeCreated = $_.TimeCreated
User = $entry.Event.UserData.EventXML.User
IPAddress = $entry.Event.UserData.EventXML.Address
EventID = $entry.Event.System.EventID
ServerName = $Server
}
}
}
$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
if ($_.EventID -eq '21'){"logon"}
if ($_.EventID -eq '22'){"Shell start"}
if ($_.EventID -eq '23'){"logoff"}
if ($_.EventID -eq '24'){"disconnected"}
if ($_.EventID -eq '25'){"reconnection"}
}
}
$Date = (Get-Date -Format s) -replace ":", "."
$FilteredOutput | Sort TimeCreated | Export-Csv $env:USERPROFILE\Desktop\$Date`_RDP_Report.csv -NoTypeInformation
#End
This powershell script from the Microsoft Technet website parses eventlogs about RDP sessions information, including client IPs, and outputs the human-readable results to a CSV.
If anybody is looking for IP addresses of failed RDP connection attempts (e.g. in case of brute force attacks against your web server), the Windows event log is Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
and the event ID is 140
(logged as a warning):
A connection from the client computer with an IP address of 123.123.123.123 failed because the user name or password is not correct.
You could then write a script that lets the firewall block IP addresses with multiple failed attempts.