Paul_YMemberFeb 06, 2017 at 12:54 pm #166841
I consult for a company which has a file server running Server 2008 r2
On Thursday afternoon the manager contacted me regarding RDP & VPN access to their server Based in Birmingham
I got an RDP connection to the server with a view to a quick investigation
Oh what a can of worms I opened
I found the following
· Symptom – Whenever we tried to RDP, the session would be disconnected within a minute automatically
· Cause – RDP-TCP listener was not properly configured .
· Resolution – I changed the setting in registry and this resolved the issue.
Then on Friday we began a little deeper research
There are 8 users of this server which had access either via RDP or VPN or both
I do know that team viewer is installed to connect to clients around the country and have now revoked all access apart from myself and the manager
Team viewer has now been removed, until we can trace which user logged in
I know it wasn’t me or the manager, as he is a personal friend and I do trust him not to wreck his business
There are thousands of confidential files that ‘could’ have been removed by another employee (they don’t have the skill set to wreck a server)
Q1.What is the easiest way to find out if an RDP session was used to make registry changes?
Q2. Where in the event logs does it show the connection IP addresses
Q3. do RDP session connections show up in event logs etc
that’s a start, answers please on a post card
You must be logged in to reply to this topic.