Audit RDP Logon but not ICA Logon

I have failed miserably so far in my attempt to audit remote connections to
Windows 2000 boxes that host Citrix. My goal is to only see connections via
RDP not Citrix session connections. I have tried logging all logons, which
produce 528 Events but then you can't tell if it is a ICA or RDP connection.

So I tried removing local auditing and auditing on the server level and
setting auditing on the RDP connection from within Terminal Services
Configuration. No luck. I went back and tried all the possible combinations
and again had no luck.

Short of hatching a program and having it generate a log in the event log I
can't find a way to determine when a user authenticates on RDP only.

Anyone ever had success on something like this?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson" <pbergson@allete_nospam.com> wrote in message
news:uYOFTt%(E-Mail Removed)...
> I have failed miserably so far in my attempt to audit remote connections
to
> Windows 2000 boxes that host Citrix. My goal is to only see connections
via
> RDP not Citrix session connections. I have tried logging all logons,
which
> produce 528 Events but then you can't tell if it is a ICA or RDP
connection.
>
> So I tried removing local auditing and auditing on the server level and
> setting auditing on the RDP connection from within Terminal Services
> Configuration. No luck. I went back and tried all the possible
combinations
> and again had no luck.
>
> Short of hatching a program and having it generate a log in the event log
I
> can't find a way to determine when a user authenticates on RDP only.
>
> Anyone ever had success on something like this?
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>

You can insert a line into the logon script that checks
environmental variables such as %SessionName%, then
generates a logon event.

Yeah, that is the only thing I can see right now but had hoped to not have
to place anything in such as that, but alas I think that is my only option.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Pegasus (MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Paul Bergson" <pbergson@allete_nospam.com> wrote in message
> news:uYOFTt%(E-Mail Removed)...
>> I have failed miserably so far in my attempt to audit remote connections
> to
>> Windows 2000 boxes that host Citrix. My goal is to only see connections
> via
>> RDP not Citrix session connections. I have tried logging all logons,
> which
>> produce 528 Events but then you can't tell if it is a ICA or RDP
> connection.
>>
>> So I tried removing local auditing and auditing on the server level and
>> setting auditing on the RDP connection from within Terminal Services
>> Configuration. No luck. I went back and tried all the possible
> combinations
>> and again had no luck.
>>
>> Short of hatching a program and having it generate a log in the event log
> I
>> can't find a way to determine when a user authenticates on RDP only.
>>
>> Anyone ever had success on something like this?
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>>
>>
>
> You can insert a line into the logon script that checks
> environmental variables such as %SessionName%, then
> generates a logon event.
>
>

Depends on what you are looking for, check RecordTS that we will be
officially releasing in Las Vegas in November at the WinConnections expo.
It records all RDP sessions like a VCR so you can watch later.
It is auditing on steroids.

--

Cláudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services
"Paul Bergson" <pbergson@allete_nospam.com> wrote in message
news:(E-Mail Removed)...
> Yeah, that is the only thing I can see right now but had hoped to not have
> to place anything in such as that, but alas I think that is my only
> option.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Pegasus (MVP)" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> "Paul Bergson" <pbergson@allete_nospam.com> wrote in message
>> news:uYOFTt%(E-Mail Removed)...
>>> I have failed miserably so far in my attempt to audit remote connections
>> to
>>> Windows 2000 boxes that host Citrix. My goal is to only see connections
>> via
>>> RDP not Citrix session connections. I have tried logging all logons,
>> which
>>> produce 528 Events but then you can't tell if it is a ICA or RDP
>> connection.
>>>
>>> So I tried removing local auditing and auditing on the server level and
>>> setting auditing on the RDP connection from within Terminal Services
>>> Configuration. No luck. I went back and tried all the possible
>> combinations
>>> and again had no luck.
>>>
>>> Short of hatching a program and having it generate a log in the event
>>> log
>> I
>>> can't find a way to determine when a user authenticates on RDP only.
>>>
>>> Anyone ever had success on something like this?
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCT, MCSE, MCSA, Security+, BS CSci
>>> 2003, 2000 (Early Achiever), NT
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>>
>>>
>>
>> You can insert a line into the logon script that checks
>> environmental variables such as %SessionName%, then
>> generates a logon event.
>>
>>
>
>