Logging server log on/off only (not domain)

We want to log all local and remote desktop log on/off events (sucesses &
failures) of our servers for auditing purposes. We do not, however, wish to
log domain authentication or file/folder accesses at this time.

With the above in mind, I had initially thought we could enabled "Audit
Logon events" on each server via group policy. After having done some poking
around however, it appears that this setting will also log any access to
resources of a server with this enabled (not just logon/off). Can anyone
suggest a practical way to implement this. Is it possible via the standard
local policies or is a 3rd party tool required? Appreciate any
feedback/advice. Thanks.

"Barkley Bees" <> wrote in message
news:...
> We want to log all local and remote desktop log on/off events (sucesses &
> failures) of our servers for auditing purposes. We do not, however, wish
> to log domain authentication or file/folder accesses at this time.
>
> With the above in mind, I had initially thought we could enabled "Audit
> Logon events" on each server via group policy. After having done some
> poking around however, it appears that this setting will also log any
> access to resources of a server with this enabled (not just logon/off).
> Can anyone suggest a practical way to implement this. Is it possible via
> the standard local policies or is a 3rd party tool required? Appreciate
> any feedback/advice. Thanks.

You probably have to invoke your own logon/logoff script via the local
policy. The logon script could look like this:
@echo off
if /i not %UserDomain%==%ComputerName% goto :eof
if /i %SessionName%==Console (set Session=Local) else (set Session=TS)
echo %date% %time:~0,5% %UserName% Session type=%Session% Event=logon >>
d:\Logs\Serverlogs.log

The logoff script would be much the same.

"Pegasus [MVP]" <> wrote in message
news:#...
>
> "Barkley Bees" <> wrote in message
> news:...
>> We want to log all local and remote desktop log on/off events (sucesses &
>> failures) of our servers for auditing purposes. We do not, however, wish
>> to log domain authentication or file/folder accesses at this time.
>>
>> With the above in mind, I had initially thought we could enabled "Audit
>> Logon events" on each server via group policy. After having done some
>> poking around however, it appears that this setting will also log any
>> access to resources of a server with this enabled (not just logon/off).
>> Can anyone suggest a practical way to implement this. Is it possible via
>> the standard local policies or is a 3rd party tool required? Appreciate
>> any feedback/advice. Thanks.
>
> You probably have to invoke your own logon/logoff script via the local
> policy. The logon script could look like this:
> @echo off
> if /i not %UserDomain%==%ComputerName% goto :eof
> if /i %SessionName%==Console (set Session=Local) else (set Session=TS)
> echo %date% %time:~0,5% %UserName% Session type=%Session% Event=logon >>
> d:\Logs\Serverlogs.log
>
> The logoff script would be much the same.

While a useful technique (that I have also used), I have made it clear to
management that this is not really an auditing tool. The users all have
read/write access to the log file, and could modify it to meet their needs,
whether to hide their own tracks or to point the finger of blame at someone
else.

/Al

"Al Dunbar" <> wrote in message
news:%23%...
>
> "Pegasus [MVP]" <> wrote in message
> news:#...
>>
>> "Barkley Bees" <> wrote in message
>> news:...
>>> We want to log all local and remote desktop log on/off events (sucesses
>>> & failures) of our servers for auditing purposes. We do not, however,
>>> wish to log domain authentication or file/folder accesses at this time.
>>>
>>> With the above in mind, I had initially thought we could enabled "Audit
>>> Logon events" on each server via group policy. After having done some
>>> poking around however, it appears that this setting will also log any
>>> access to resources of a server with this enabled (not just logon/off).
>>> Can anyone suggest a practical way to implement this. Is it possible via
>>> the standard local policies or is a 3rd party tool required? Appreciate
>>> any feedback/advice. Thanks.
>>
>> You probably have to invoke your own logon/logoff script via the local
>> policy. The logon script could look like this:
>> @echo off
>> if /i not %UserDomain%==%ComputerName% goto :eof
>> if /i %SessionName%==Console (set Session=Local) else (set Session=TS)
>> echo %date% %time:~0,5% %UserName% Session type=%Session% Event=logon >>
>> d:\Logs\Serverlogs.log
>>
>> The logoff script would be much the same.
>
> While a useful technique (that I have also used), I have made it clear to
> management that this is not really an auditing tool. The users all have
> read/write access to the log file, and could modify it to meet their
> needs, whether to hide their own tracks or to point the finger of blame at
> someone else.
>
> /Al


Thanks Pegasus, but I'm afraid I must agree with Al in that I don't think it
would pass for our auditing needs (need to run it by management though). Are
you using this type of script yourself?
Has anyone implemented any auditing technique for logging administrator log
on/off's for servers? If so, how did you do it?

"Barkley Bees" <> wrote in message
news:...
>
> "Al Dunbar" <> wrote in message
> news:%23%...
>>
>> "Pegasus [MVP]" <> wrote in message
>> news:#...
>>>
>>> "Barkley Bees" <> wrote in message
>>> news:...
>>>> We want to log all local and remote desktop log on/off events (sucesses
>>>> & failures) of our servers for auditing purposes. We do not, however,
>>>> wish to log domain authentication or file/folder accesses at this time.
>>>>
>>>> With the above in mind, I had initially thought we could enabled "Audit
>>>> Logon events" on each server via group policy. After having done some
>>>> poking around however, it appears that this setting will also log any
>>>> access to resources of a server with this enabled (not just logon/off).
>>>> Can anyone suggest a practical way to implement this. Is it possible
>>>> via the standard local policies or is a 3rd party tool required?
>>>> Appreciate any feedback/advice. Thanks.
>>>
>>> You probably have to invoke your own logon/logoff script via the local
>>> policy. The logon script could look like this:
>>> @echo off
>>> if /i not %UserDomain%==%ComputerName% goto :eof
>>> if /i %SessionName%==Console (set Session=Local) else (set Session=TS)
>>> echo %date% %time:~0,5% %UserName% Session type=%Session% Event=logon >>
>>> d:\Logs\Serverlogs.log
>>>
>>> The logoff script would be much the same.
>>
>> While a useful technique (that I have also used), I have made it clear to
>> management that this is not really an auditing tool. The users all have
>> read/write access to the log file, and could modify it to meet their
>> needs, whether to hide their own tracks or to point the finger of blame
>> at someone else.
>>
>> /Al
>
>
> Thanks Pegasus, but I'm afraid I must agree with Al in that I don't think
> it would pass for our auditing needs (need to run it by management
> though). Are you using this type of script yourself?
> Has anyone implemented any auditing technique for logging administrator
> log on/off's for servers? If so, how did you do it?

I forgot to mention that there are ways of preventing the running of a logon
script. What you need is something bulletproof, and I've never met a logon
script that could qualify...

/Al

"Barkley Bees" <> wrote in message
news:...
>
> "Al Dunbar" <> wrote in message
> news:%23%...
>>
>> "Pegasus [MVP]" <> wrote in message
>> news:#...
>>>
>>> "Barkley Bees" <> wrote in message
>>> news:...
>>>> We want to log all local and remote desktop log on/off events (sucesses
>>>> & failures) of our servers for auditing purposes. We do not, however,
>>>> wish to log domain authentication or file/folder accesses at this time.
>>>>
>>>> With the above in mind, I had initially thought we could enabled "Audit
>>>> Logon events" on each server via group policy. After having done some
>>>> poking around however, it appears that this setting will also log any
>>>> access to resources of a server with this enabled (not just logon/off).
>>>> Can anyone suggest a practical way to implement this. Is it possible
>>>> via the standard local policies or is a 3rd party tool required?
>>>> Appreciate any feedback/advice. Thanks.
>>>
>>> You probably have to invoke your own logon/logoff script via the local
>>> policy. The logon script could look like this:
>>> @echo off
>>> if /i not %UserDomain%==%ComputerName% goto :eof
>>> if /i %SessionName%==Console (set Session=Local) else (set Session=TS)
>>> echo %date% %time:~0,5% %UserName% Session type=%Session% Event=logon >>
>>> d:\Logs\Serverlogs.log
>>>
>>> The logoff script would be much the same.
>>
>> While a useful technique (that I have also used), I have made it clear to
>> management that this is not really an auditing tool. The users all have
>> read/write access to the log file, and could modify it to meet their
>> needs, whether to hide their own tracks or to point the finger of blame
>> at someone else.
>>
>> /Al
>
>
> Thanks Pegasus, but I'm afraid I must agree with Al in that I don't think
> it would pass for our auditing needs (need to run it by management
> though). Are you using this type of script yourself?
> Has anyone implemented any auditing technique for logging administrator
> log on/off's for servers? If so, how did you do it?
>

I'v used logon and logoff scripts to track usage for many years. A few times
management wanted to use the resulting logs to discipline employees, but I
always cautioned that all users had to have read/write access to the logs,
so they should not be used for this purpose.

The situation is even worse for administrators. An administrator can do
anything, so they can defeat any audit scheme. You should give a limited
number of trusted people administrator privileges. You can and should still
log and audit, but recognize the limitations.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Richard Mueller [MVP]" <rlmueller-> wrote in
message news:#...
>
> "Barkley Bees" <> wrote in message
> news:...
>>
>> "Al Dunbar" <> wrote in message
>> news:%23%...
>>>
>>> "Pegasus [MVP]" <> wrote in message
>>> news:#...
>>>>
>>>> "Barkley Bees" <> wrote in message
>>>> news:...
>>>>> We want to log all local and remote desktop log on/off events
>>>>> (sucesses & failures) of our servers for auditing purposes. We do not,
>>>>> however, wish to log domain authentication or file/folder accesses at
>>>>> this time.
>>>>>
>>>>> With the above in mind, I had initially thought we could enabled
>>>>> "Audit Logon events" on each server via group policy. After having
>>>>> done some poking around however, it appears that this setting will
>>>>> also log any access to resources of a server with this enabled (not
>>>>> just logon/off). Can anyone suggest a practical way to implement this.
>>>>> Is it possible via the standard local policies or is a 3rd party tool
>>>>> required? Appreciate any feedback/advice. Thanks.
>>>>
>>>> You probably have to invoke your own logon/logoff script via the local
>>>> policy. The logon script could look like this:
>>>> @echo off
>>>> if /i not %UserDomain%==%ComputerName% goto :eof
>>>> if /i %SessionName%==Console (set Session=Local) else (set Session=TS)
>>>> echo %date% %time:~0,5% %UserName% Session type=%Session% Event=logon
>>>> >> d:\Logs\Serverlogs.log
>>>>
>>>> The logoff script would be much the same.
>>>
>>> While a useful technique (that I have also used), I have made it clear
>>> to management that this is not really an auditing tool. The users all
>>> have read/write access to the log file, and could modify it to meet
>>> their needs, whether to hide their own tracks or to point the finger of
>>> blame at someone else.
>>>
>>> /Al
>>
>>
>> Thanks Pegasus, but I'm afraid I must agree with Al in that I don't think
>> it would pass for our auditing needs (need to run it by management
>> though). Are you using this type of script yourself?
>> Has anyone implemented any auditing technique for logging administrator
>> log on/off's for servers? If so, how did you do it?
>>
>
> I'v used logon and logoff scripts to track usage for many years. A few
> times management wanted to use the resulting logs to discipline employees,
> but I always cautioned that all users had to have read/write access to the
> logs, so they should not be used for this purpose.

Ditto. In addition to pointing out the questionable validity of the data, I
also question the validity of using the technology to spy on employees.

/Al

> The situation is even worse for administrators. An administrator can do
> anything, so they can defeat any audit scheme. You should give a limited
> number of trusted people administrator privileges. You can and should
> still log and audit, but recognize the limitations.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>

"The users all have read/write access to the log file, and could modify
it to meet their needs, whether to hide their own tracks or to point the
finger of blame at someone else."

Pardon me???? Is this true? Why on earth would you allow this kind of
access? Or am I missing something?

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com/

Al Dunbar wrote:
>
> "Pegasus [MVP]" <> wrote in message
> news:#...

>
> While a useful technique (that I have also used), I have made it clear
> to management that this is not really an auditing tool. The users all
> have read/write access to the log file, and could modify it to meet
> their needs, whether to hide their own tracks or to point the finger of
> blame at someone else.
>
> /Al
>
>

Hank Arnold wrote:
> "The users all have read/write access to the log file, and could modify
> it to meet their needs, whether to hide their own tracks or to point the
> finger of blame at someone else."
>
> Pardon me???? Is this true? Why on earth would you allow this kind of
> access? Or am I missing something?
>

Never mind. From subsequent postings, it seems to be the default..

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com/

"Hank Arnold" <> wrote in message
news:...
> "The users all have read/write access to the log file, and could modify it
> to meet their needs, whether to hide their own tracks or to point the
> finger of blame at someone else."
>
> Pardon me???? Is this true? Why on earth would you allow this kind of
> access? Or am I missing something?

I *allow* this kind of access, because, in order to append to a file, the
users need write access. But this is perfectly OK in our environment because
we use this to track logon activities for purposes other than security
auditing, i.e.:

- to track workstations. if we know who logged on when, that gives us an
idea where it might be located. If we actually need to find it, we do not
assume it to be found until we actually see it somewhere, so we are not
basing our inventory reconciliation on the information in the log file.

- to help identify idle or abandoned accounts. we don't assume they are
abandoned if their most recent record is a long time ago - we just know
which managers to approach for confirmation that people have left.

The data is very reliable, however this would change if it were know that
this facility was being used to track employees in some manner, a thing we
religiously refuse to do.

We have also implemented a scheduled task that collects the logs and moves
them into a folder the users cannot access every hour or so. Again not 100%
foolproof, but better than leaving the historical logs wide open.

/Al

>
> --
>
> Regards,
> Hank Arnold
> Microsoft MVP
> Windows Server - Directory Services
> http://mypcassistant.blogspot.com/
>
> Al Dunbar wrote:
>>
>> "Pegasus [MVP]" <> wrote in message
>> news:#...
>
>>
>> While a useful technique (that I have also used), I have made it clear to
>> management that this is not really an auditing tool. The users all have
>> read/write access to the log file, and could modify it to meet their
>> needs, whether to hide their own tracks or to point the finger of blame
>> at someone else.
>>
>> /Al
>>