This scenario is assuming you have a popular Remote Access Application called “Radmin” (Remote Administrator).  It’s a simple Remote Access tool I used to use myself in the field.  But sometimes you may want to audit the use of of.  IE:  Who is logging in and when and where and from what?

Here’s our first part, make sure Security logging on the computer in question is enabled.  Most Domain Controllers that are Windows 2003 and Higher will have this enabled, Lower may not.  If you need to check on whether it’s enabled locally just run SECPOL.MSC and ensure under “Audit Policy” that “Success” and “Failure” logging is enabled for both “Audit account logon events” as well as “Audit logon events”

With this switch flipped over you can now watch and track every time somebody accesses that Server.  It will log within the Security log in the Event Viewer.   the particular event ID we need to watch for is 4624 (Account Logon Success) and 4625 (Account Logon Failure)

With this in mind, with Powershell we can use the GET-EVENTLOG Cmdlet against the system to pull down the details.  I’m using the Legacy one intentionally so that we COULD leverage this solution against a Server 2000/2003 environment as well

Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’

The problem is that this Cmdlet will pull down the Entire pile of from the Beginning of Security Logging Time.  So we need to minimize.  Fortunately in Windows Powershell we can manipulate things by Date and Time, As just so happens the GET-WINEVENT has an –after parameter for us to specify a date or time.  I’d like to see ONLY events that happened “15 minutes before Now”

$NOW=(GET-DATE).addminutes(-15)

Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’ –after $NOW

Now we have a smaller pile.  But let’s say we needed to know when Mr.Smith was accessing this particular server, and we’d like a notification please…

$NOW=(GET-DATE).addminutes(-15)

Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’ –after $NOW –Message “*Mr.Smith*”

I can store this away in a Variable in Windows Powershell and use a simple Boolean check

$NOW=(GET-DATE).addminutes(-15)

# Instance ID is a Numerical Event In the Log.  4624 is a Successful login, 4625 is a failed logon

$Results=(Get-EventLog -LogName Security -InstanceId 4624,4625 –Computername ‘SomeComputer.Contoso.com’ –after $NOW –Message “*Mr.Smith*”)

# Hopefully the rest of this makes sense

$SMTPSERVER=’MyEmailServer.Contoso.com’

$Notify=’The Person In Charge <Me@contoso.com>’

$Subject=’Warning Will Robinson – Intruder’

$Body=’Somebody is Poking at the Server Again’

$From=’Your Friendly Neighbourhood Spiderman <securitymonitor@contoso.com>’

IF $Results { SEND-MAILMESSAGE -From $From -to $Notify -Subject $Subject -body $Body -SmtpServer $SMTPSERVER }

This is of course something you would have to schedule with appropriate rights in the task scheduler (I think Local System should have the rights, but if not a local Administrator account)

Now here’s where things get easier.    If the server in Question was running Server 2008 or Server 2008R2 you could just go in the EventViewer and Schedule a Task when certain events are triggered.

image

imageimage

imageimage

Follow the simple Step by Step wizard and you can actually have the Server NOTIFY YOU by email directly if certain EventID’s (such as a successful logon) have occurred (IE: Radmin).  To get VERY specific you’ll have to go into the properties of that newly scheduled task and play with editing the XML Query directly (IE: Notify me if Mr.Smith logged in and is poking about with my server via Radmin)

Radmin is just one of many applications out there.  What is good to know is that a) Most applications register something in the Event logs (or can) and that with the free resources at your hand YOU CAN monitor those logs and generate email notifications to yourself.

If you have Radmin in use, I highly recommend monitoring it’s use, not just for auditing purposes; but it IS an often unwatched key to the house.  Being aware of its’ use is often a boon to security that’s often forgotten

Sean
The Energized Tech

Advertisements