We use Windows 2000 Server Terminal Services extensively for remote server administration and remote desktop access. How can we track Terminal Services logons in the Security log and distinguish them from interactive logons that users perform at a computer's physical console?
Terminal Services and interactive logon events look alike. However, you can use process tracking to differentiate Terminal Services logons.
Whenever someone logs on to a Win2K computer—whether at the console or through Terminal Services—Win2K logs event ID 528 to the Security log and specifies Logon Type 2 in the event's details. Logon Type 2 refers to an interactive logon, which, before the release of Terminal Services, simply meant an interactive local logon as opposed to a connection to a resource (e.g., a shared folder) over the network. (Microsoft IIS servers also log an interactive logon when someone uses Basic authentication to connect to IIS.) However, if you enable Audit process tracking on the computer that's running Terminal Services, Win2K will log each program executed on that computer.
When a user logs on at the console of a computer that's running Terminal Services, Win2K first logs event ID 528. Next, the OS logs event ID 592 to show that the SYSTEM account executed Userinit. Then, Win2K logs another event ID 592, showing that the OS started Windows Explorer under the account of the user who just logged on. (If you've enabled Audit privilege use or Audit object access, you'll also see some unrelated events interspersed among those I've described.)
When a user logs on through Terminal Services, Win2K logs another event between event ID 528 and the first occurrence of event ID 592 for Userinit. Before Win2K executes Userinit, it starts the Rdpclip program. (Rdpclip lets users copy files between their Terminal Services session and their actual desktop.) After you enable Audit process tracking, Win2K logs the execution of Rdpclip with event ID 592, as Figure 1 shows. Thus, on Win2K you can distinguish console logons from Terminal Services logons by finding event ID 528 with Logon Type 2, then looking for the subsequent event ID 592. If the first event ID 592 that appears after event ID 528 documents Rdpclip as the program the OS opened, you're looking at a Terminal Services logon. If the program started is Userinit, you have a console logon.
In Windows Server 2003 and Windows XP, Microsoft added a new logon type specifically for Terminal Services logons. When users log on through Terminal Services, event ID 528 shows Logon Type 10 instead of Logon Type 2. You can identify Terminal Services logons that failed because of a bad username or password by looking for event ID 529 with Logon Type 10
