I have suspicions that someone other than people on my team have obtained the cr

Question

I have suspicions that someone other than people on my team have obtained the credentials to remotely access a Windows 2008 Server. I need to get some evidence before I start pointing fingers or get everyone alerted that someone might be hacking our servers.

Can I get a log of all the computers that have remotely accessed my server (by remote access I mean using the remote desktop features of Windows server). Ideally there should be some information about each computer, at least their public IP address.

Any help would be appreciated.

Explanation / Answer

Once someone has access to your server it's not your server anymore. Meaning that logs could be tampered with as well as binaries.

There is a security log in Windows which allows you (if configured correctly) to:

There is just a catch here. Any administrator will be able (as mentioned before) to tamper with the logs. If you are unsure it is best to place a sniffer between your server and the network. That way you can monitor all incoming and outgoing connections and determine if the IPs accessing the machine are indeed legitimate.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects