Howto: Log Connections to Specific Ports and Processes on Windows Machines


A client asked me for a report that showed who connected to his server on port 3389 via RDP, Microsoft’s Remote Desktop Protocol . Apparently some of his techs had been connecting to his servers through the Microsoft Remote Desktop Connection (RDC) to perform maintenance, and he wanted to know when they connected to the server and where they connected from.

I figured I could enable RDC logging through a registry hack, but couldn’t find a documented solution anywhere. Finally I found a few tools available from Microsoft that I could use to do the job.

The first tool I used was the Microsoft Port Reporter utility. This program installs as a service on Windows XP and Server 2003. It does generate a large amount of log files, so make sure to configure the log file location on a drive with plenty of free disk space per KB 837243, which has detailed installation and usage instructions.

The Port Reporter service is initially set to manual startup, so you’ll have to start it yourself in services.msc. Once the service is running, three detailed log files are created. These files can generate an overwhelming amount of information, so to help you decipher all the data Microsoft released the Port Reporter Parser Tool.

The Port Reporter Parser Tool turns the log file data into a sortable spreadsheet. You can sort and filter the sheet based upon factors such as date, time, local and remote IP and port, Process ID, account name, etc. See KB 884289 for specifics on analyzing logs and tracking suspicious data. You can do so many things with Port Reporter that Microsoft even created a support webcast for the utility. See KB 840832 for more information.

Once I had my Port Reporter log file loaded into Port Reporter Parser, I filtered my data to show only rows where the connection to the local port was made on TCP port 3389. Port Reporter Parser made me a nice report showing all data regarding RDP connections to the server.

My only complaint with Port Reporter Parser is I couldn’t save my filtered queries or export them to a .csv or similar format.

Microsoft also has some related tools to Port Reporter -PortQry and PortQuery UI. See KB 832919 for instructions on using PortQry. Other applicable KB articles include:

KB 310456 – How to Use Portqry to Troubleshoot Active Directory Connectivity Issues

KB 310298 – How to Use Portqry.exe to Troubleshoot Microsoft Exchange Server Connectivity Issues

KB 325494 – Support WebCast: Port Scanning Using PortQry

KB 890381 – TechNet Support WebCast: TCP/IP port and process auditing

Follow

Get every new post delivered to your Inbox.

Join 32 other followers