Our new Tool, the RDPSoft RDS Log Viewer, tracks and correlates each remote desktop services logon failure and successful logon.
In an earlier post about how to track a remote desktop services logon failure, I documented just how difficult it was to determine the user account of a logon failure and then correlate it with the source IP of the attacker. Moreover, there are subtle differences in how to do such RDP logon failure correlation between Windows Server 2012 and Windows Server 2016.
I’m very pleased today to announce a beta version of my latest free tool, the RDPSoft RDS Log Viewer. The RDS Log Viewer does the heavy lifting for you – regardless of what your RDP Security Layer is set to. It displays the traditional “security log only” RDS logon failures when the Security Layer is set to RDP, but more importantly it automatically correlates logon failures when the Security Layer is TLS/SSL with Network Level Authentication (NLA). In the beta, it also shows you all successful RDS authentications as well. To accomplish this, its correlation engine grabs events from a small handful of event logs on the target session host.
Additional initial features include the ability to both export the results to comma-delimited text, and geolocate the IP address of the attacker.
As I mentioned, this is just the first release of this tool. We will be expanding the capabilities of the RDS Log Viewer to bring in many more types of data, whether recorded on session hosts, RD gateways, or connection brokers. We will also be building some of this technology into our full commercial tool, the Remote Desktop Commander Suite, and we will eventually integrate it into the Remote Desktop Commander Lite free tool as well.
The best part? You can download it for free today here. Just like the RDSConfig tool for adjusting RDP permissions, and the Remote Desktop Commander Lite utility for session management, it’s another community contribution as part of my Microsoft MVP award. Please send me your feedback here.