How can I get the IP address of a remote desktop client? And how can I trigger a shell command upon RDP connect?
Solution 1:
From a command prompt you can run the following command to get a list of the remote IPs that are connected to RDP (port 3389).
netstat -n | find ":3389" | find "ESTABLISHED"
I'm certain this can be scripted in powershell (or even just a plain old batch file). I can provide an example tomorrow if you're interested.
Solution 2:
Alright I figured out that the task scheduler application that comes with windows is configurable to where I can run a batch script, triggered when an event in the event log is generated. Via the UI you choose the event type, event source and event ID, in which case I used 4264 (and yes is captures all logon types). Here I used a simple batch script instead:
SET logfile="rdp_ip_logs.log"
date /T>>%logfile%
time /T>>%logfile%
netstat -n | find ":3389" | find "ESTABLISHED">>%logfile%
Also I found a this super-useful example on how to subscribe/listen to event writes in .NET: http://msdn.microsoft.com/en-us/library/bb552514(v=vs.90).aspx I'm gonna end up using that instead to to write certain events to to a database for web-based examination.
The only drawback of this solution is that if you have Remote Desktop Services enabled and multiple people are connected, you cannot differentiate between them in the netstat output.
Solution 3:
If you don't need to script it, you can look in the Security event log for event ID 4624. There will be a line:
Source Network Address: 192.168.xxx.xxx
Solution 4:
All this information is available in Windows Server 2016 and 2019:
You can view who logged in remotely, the session ID they have been given and from which IP address by going to:
Event Viewer Applications and Services Logs Microsoft Windows TerminalServices-RemoteConnectionManager Operational Event ID 1149 (To view which account was used at the NLA connection level)
AND
TerminalServices-LocalSessionManager Operational Event ID 21 (To view which account was used for the RDP log in)
Note you might need to enable "Audit account logon events: success and failure" in the local security group policy for these events to be logged.
You can go further by identifying from exactly where in the world the log in came from:
Download the currports utility and associated Geolite2 csv files from https://www.nirsoft.net/utils/cports.html It's portable so there's nothing to install and all the info to do this is on that site. Just apply a filter to only show RDP traffic (include:local:tcp:3389)
After some customizing of columns you can see absolutely everything about all the connections to your RDS server.
Ben