|
|
 |
|
|||||||
| Petri.co.il is happy to award Virtual the title of Most Valuable Member !!! |
| Register |  Calendar |
 Search |
Today's Posts | Mark Forums Read |
| Notices |
|
 |
Monitoring Terminal Server sessionsthis thread has 3 replies and has been viewed 1361 times
|
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
31st March 2008, 13:34
|
||||||||||
|
||||||||||
Monitoring Terminal Server sessions
Hi, guys.
I have some strange behavior on my TS servers lately… Users that log in without the policy applied, processes that behave awkward… I checked the logs and came up with some strange doings of users… Not always the same user, but that doesn't mean anything. I have thin clients as stations and each of them with its username. Two days ago I had the luck to monitor one of the servers when I noticed a high CPU. Checked what was causing it and saw it was IE of an user. At the beginning I thought it is some Flash or a game, but still, I went to that TC to see. I found a guy messing with the server, through some tools from a hacking site. When I approached him and confronted him, he quickly turned off the TC, so couldn't see where he was and what he did. Useless to say I was worried. Especially because I couldn't know what he did, so I couldn't take counter-measures. I know that being in a public institution and securing your systems is a Sisyphean job, but I would like to know I did my best. After all this whining, the question is: does anyone knows a tool that allows monitoring of what users are doing on a TS server? Or any forensic tool that can show me on the aftermath what was done? Hardening the servers more than they are today will be tough, since we're talking here about an academic institution… TIA.
__________________
Sorin Solomon »»»»» In order to succeed, your desire for success should be greater than your fear of failure. - Bill Cosby ««««« |
|
#2
31st March 2008, 13:38
|
|||||||||||
|
|||||||||||
Re: Monitoring TS sessions
Queue Daniel
 http://www.petri.co.il/my-new-job-vp...-recording.htm Sorinso, there is also a thread about this in the Mods Forum! also check out the following thread: http://www.petri.co.il/forums/showthread.php?t=6961 Michael
__________________
Michael Armstrong MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP x 2, ITIL, MCP, PGP Certified Technician ** Remember to give credit where credit is due and leave reputation points  where appropriate **
|
|
#3
31st March 2008, 13:45
|
||||||||||
|
||||||||||
Re: Monitoring TS sessions
10nx, Michael.
I didn't see the forest because all the trees ... I'll take a look.
__________________
Sorin Solomon »»»»» In order to succeed, your desire for success should be greater than your fear of failure. - Bill Cosby ««««« Last edited by sorinso; 31st March 2008 at 13:54.. Reason: typos ... |
|
#4
31st March 2008, 15:17
|
||||||||||
|
||||||||||
|
Re: Monitoring TS sessions
Sorin, you missed my post about ObserveIT (see Michael's link above).
I will post some information here, feel free to contact me if you've got more questions. ObserveIT is a software that allows monitoring and auditing of human actions done on servers and workstations, either by logging to the console of the server, or on a TS/RDP and Citrix sessions. It indexes all the screenshots and adds metadata containing information about each separate screenshot. This allows for easy textual searches through the database. In your case, if you suspect that one of your users made changes on one of your servers, you can easily perform a search of all the human interactions with that server during the previous X hours/days, and easily see what where the actions that were performed on the server. Clicking on the action will bring you to the exact point in time of the captured video, allowing you to see exactly what that user did, and what he did right before and after that point. Although not as useful for smaller environments, larger enterprises have an additional benefit. With ObserveIT you can easily search for all the similar actions that the user performed across your entire enterprise, because you may rightfully assume that if he did it once, he might have done it again elsewhere. This feature allows you to be sure he did not do it, and if he did, you can easily find out about it BEFORE your servers go down due to this misconfiguration. There are many more features and even more are planned in the product's roadmap. In the meantime you can download a 15-day fully functional copy + 5 agents, and you can easily install it on your servers. So, if any of you guys are interested in learning more, or even of getting a demo set up for you wherever you guys work, contact me and I'll set you up. Trust me, once you see it work, you will want it! www.observeit-sys.com
__________________
Cheers, Daniel Petri MCSA/E, MCTS, MCT, Exchange Server MVP VP Technologies - ObserveIT Last edited by danielp; 22nd March 2009 at 15:22.. |
|
|
||||||
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Preventing Shadowing of Terminal Sessions | motiv8d | Terminal Services | 1 | 6th February 2008 05:19 |
| Find users logged on with Terminal Server sessions? | humbletech99 | General Scripting | 3 | 15th November 2007 12:23 |
| Help with WS 2003 Terminal Server Sessions Freezing | caldwebe | Terminal Services | 7 | 16th November 2006 03:54 |
| Terminal server Default sessions ???? | winxandlinx | Terminal Services | 5 | 3rd November 2006 23:08 |
| multiple Windows 2000 Terminal Server sessions | tvengel | Terminal Services | 3 | 28th January 2005 13:13 |
(533)
danielp
Linear Mode
