Security

Receive alerts when user connects or disconnects from RDP

Receive alerts when user connects or disconnects from RDP

If you administer a forward facing terminal server or even if you have an RDP connection setup on your home Internet connection for quick access to your home network, then it serves as extra piece of mind to have a means to receive alertsย when aย userย connects orย disconnects from that RDP connection. ย Using a combination of Scheduled tasks, powershell, and batch files, we can effectively enable alerting via email/text alert when users either Login/connect or Logoff/disconnect from an RDP session.

Script files

The key to being able to effectively log user activity are the script files. ย Let’s start with the powershell side of things. ย First we have a powershell script that essentially gets the user that is connected via port 3389.

get_loggeduser.ps1ย contents

echo $env:username
netstat -an | select-string ":3389" | select-string "ESTABLISHED"

This powershell snippet echos the user name that is connected to the common RDP port 3389. ย If you are using a different port for RDP, of course you would alter the command for that specific port.

In order to send that information to email or text, we use another powershell script to accomplish that:

sendmail_login.ps1 contents

$SMTPServer = “smtp.gmail.com”
$SMTPPort = “587”
$Username = “[email protected]
$Password = “yourstrongpassword”

$to = “[email protected]
$cc = “[email protected]
$cc2 = “somenumber@@txt.att.net”
$subject = “Someone connected via RDP”
$body = “Attached are the user details”
$attachment = “C:yourdirectorylogin.txt”

$message = New-Object System.Net.Mail.MailMessage
$message.subject = $subject
$message.body = $body
$message.to.add($to)
$message.from = $username
$message.attachments.add($attachment)

$smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort);
$smtp.EnableSSL = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password);

$smtp.send($message)
write-host “Mail Sent”

The code above will send an email using a valid gmail account for SMTP connectivity. ย You can send to recipients email or text by using the email to text addresses from either ATT or Verizon.

Now we need a batch file to tie everything together in our scheduled task events:

login.batย contents

@echo off
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -command .get_loggeduser.ps1" > c:somedirectorylogin.txt
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -command .sendmail_login.ps1"

Above we use the get_loggeduser.ps1 file to echo into a text file which gets attached to our email in the script above asย login.txt. ย This will contain the user name that logged in as well as the remote IP address the user is connected from.

Scheduled Task

Now that we have the hard part of getting the files in place that we need, we simply need to create some scheduled tasks that fire an action when an event is logged for users logging in or reconnecting a session.

alert_connect1
alert_connect2
alert_connect5

 

In the screenshots above, we have setup a scheduled task that begins the task “on an event” and we are going to watch theย Logย located atย Microsoft-Windows-TerminalServices-LocalSessionManager/Operational and look for Event ID: 21 andย 25. ย Theย Actions tab contains the location of ourย login.bat file we have the contents of above. ย Here it is located under c:windowsoptions.

Event IDs 21 and 25 are for login/reconnect and event IDsย 23ย andย 24 are for logoff/disconnect. ย You can use those to trigger off actions appropriately.

Putting it all together

So in thinking about what we have accomplished here to put it all together and logically see the chain of events. ย When a user logs in/reconnects the scheduled task will call theย login.batย file which runs theย get_loggeduser.ps1 file and theย sendmail_login.ps1 file which contains an attachment of the user information (user name and remote IP address) to recipients that are designated.

Shortly after a user logs in or reconnects, you should see an email pop in or text message come to the destinations of your choosing.

Final Thoughts

This is a relatively crude way to achieve good alerting when and if users connect to a terminal server via RDP. ย The scripts can probably be engineered better and I may follow up the post with some streamlined coding and conditional statements to handle certain events a little better. ย However, in a pinch, this solution has worked for me setting up alerting for myself and others on terminal servers.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

2 Comments

  1. Hey, I tried this but it didnt work. I’m using Windows 11, and places the script and other files in a folder in my Desktop, does that make a difference?

    1. Naeem,

      Thanks for your comment. I need to go back through and update the post for some troubleshooting tips. However, make sure you populate the โ€œStart inโ€ folder which is the folder you have the batch file housed in. Also, make sure you have the scheduled task set to run as administrator and when not logged in. Let me know if this helps.

      Brandon

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.