How to log ip of suspicious terminal server user 2

[warby1212]

Hi,
We have a problem where we suspect unauthorised logins via Terminal Server by an unauthorised user with a valid .rdp. The business owner wants to observe any login from specific ip's but we cannot see where or how we can log the source ip address of users. Is this easily achievable. (We are database people not systems admins so a bit dumb)

We've had a good look around on the net etc but cannot find anything. Any help appreciated.
Cheers Stephen

I should write something here.

 

[NickFerrar]

Are they accessing it via a firewall? If so you should be able to check firewall logs for port 3389 traffic.

 

[tfg13]

NickFerrar is on to something, but don't rule out the possibility of a different listening port. Check this registry setting for the port:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\and port number on the right had side.

 

[warby1212]

Thanks guys,
You've made me look clever. The firewall is logging connections and your info will be useful for other stuff too.
cheers Stephen

I should write something here.