I needed to find out who was connected to a certain server using our corporate LAN today using RDP. I was only able to trace it as a connection from another server which people from outside can connect to. 10 or more users were connected and I lost the trail due to lack of knowledge.
I used netstat to find RDP connections using port 3389, so I knew the outgoing and destination ports on both servers, which is how I knew the source of the session from ultimate destination. The question then was on the first hop backward, how can I correlate an existing ESTABLISHED CONNECTION in this list to a terminal services client connection? I tried using ProcessExplorerNt thinking I might find a handle or value of some sort which could be helpful, but before I could really explore everything, the person logged out.
I want to know what to do so next time I need to know this information in a hurry, I will be able to do it.
Everything is complicated by the fact that just knowing the username of the logged-in session is not enough, I need to trace it all the way back to the originating IP from outside our LAN. Also, the remote desktop connection to the final server was using the /console switch, further complicating detecting who was logged in as sometimes you just see the login name of the console session instead of the remote user.
Does anyone have ideas for me, books to read, web sites to visit that would help me with tracking this down? I did some web searching and the search terms are so generic that I either get overwhelmed with hits or I get general how-to information, or citrix junk.
I used netstat to find RDP connections using port 3389, so I knew the outgoing and destination ports on both servers, which is how I knew the source of the session from ultimate destination. The question then was on the first hop backward, how can I correlate an existing ESTABLISHED CONNECTION in this list to a terminal services client connection? I tried using ProcessExplorerNt thinking I might find a handle or value of some sort which could be helpful, but before I could really explore everything, the person logged out.
I want to know what to do so next time I need to know this information in a hurry, I will be able to do it.
Everything is complicated by the fact that just knowing the username of the logged-in session is not enough, I need to trace it all the way back to the originating IP from outside our LAN. Also, the remote desktop connection to the final server was using the /console switch, further complicating detecting who was logged in as sometimes you just see the login name of the console session instead of the remote user.
Does anyone have ideas for me, books to read, web sites to visit that would help me with tracking this down? I did some web searching and the search terms are so generic that I either get overwhelmed with hits or I get general how-to information, or citrix junk.
