Enhance terminal server security and auditing with EventLog Analyzer: A comprehensive guide
A terminal server allows users to access resources, files, and applications residing on a host in a secured network from their own devices, including laptops, desktops, and even mobile devices.
Monitoring terminal servers is essential to troubleshoot access issues, prevent unauthorized access, and track and neutralize security threats in their early stages. ManageEngine EventLog Analyzer, a log management solution, effectively monitors terminal servers for performance, health, and security.
This tutorial will help navigate the capabilities of EventLog Analyzer in auditing and monitoring terminal servers.
Ensure logging has been enabled and the terminal server has been added for auditing in the EventLog Analyzer console.
Auditing terminal servers using EventLog Analyzer: Use cases
EventLog Analyzer covers the below terminal server auditing use cases with its security auditing reports and alerts. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.
| Use Case | Description | Why implement? | Available Reports |
|---|---|---|---|
| Remote access monitoring | Track user connections, including IP addresses, connection duration, and disconnections. | Detect unauthorized remote access attempts or potential insider threats, and identify suspicious connection patterns. |
Reports:
|
| Monitoring resource accesses via terminal server connections | Get detailed insights into users' successful connections to specific resources via terminal servers. | Understand the trend of resource accesses via terminal servers. |
Reports:
Note: To get insights into users accessing a specific resource, check the Top Resources Accessed report. |
| Session duration monitoring | Get details into the connection duration and activities performed during each session initiated via the terminal server. | Understand user accesses and activities, and spot suspicious activities, if any. |
Report:
Note: Additionally, get insights into the most-performed activities during the session connection using the Top Activities based on states report. |
| Monitor terminal server gateway communications | Get detailed insights into the communication activities and traffic patterns associated with terminal server gateway services within an organization's network. | Greatly enhance security, ensure regulatory compliance, and boost operational efficiency. |
Reports:
|
| Monitor terminal server performance trends | Monitor and audit terminal server activities, such as users connecting to it or resources being used, in the form of trend analytics to detect anomalous activities, if any. | Instantly detect anomalous user access, abnormal resource access, and clients connected. | Check reports and analytical dashboards that give the details of top gateway users, clients, and resources. |
| Terminal server account lockout analysis | Once terminal server user accounts reach a maximum number of failed attempts, the session is forcibly terminated. Monitoring these incidents will allow for greater visibility and security. | This event is an early indicator of possible unauthorized activity or an intrusion attempt. Monitoring this event will help you detect terminal server threats as soon as possible. |
Alert profile:
|
Securing terminal server using EventLog Analyzer: Use cases
Threat detection
The table below lists the threat detection use cases that are covered out of the box for terminal servers by EventLog Analyzer. The solution also offers a custom correlation rule builder for creating detection rules. Please refer to the instructions here to build your own detection rules.
- Brute Force (TA1001.001)
Initial Access
- Exploit Public-Facing Application (T1190)
- Exploitation of Remote Services (T1210)
| Use Case | Event Type | ALERT PROFILES OR CORRELATION RULES | MITRE ATT&CK TECHNIQUE MAPPING |
|---|---|---|---|
| Detecting terminal server attacks | The terminal server has received a significant number of incomplete connections, indicating a possible attack on the system. |
Alert profile:
|
Remote Desktop Protocol (T1021.001) |
| Terminal server account lockout analysis | Once the terminal server user accounts reach a maximum number of failed attempts, the session is forcibly terminated. Monitoring these incidents will allow for greater visibility and security. |
Alert profile:
|
|
| Detecting unauthorized access attempts | Investigating critical security events, such as users failing to authorize a connection through a terminal server, a failed connection to a resource, or a failed resource authorization, will help you detect unauthorized access attempts at earlier stages. |
Alert profile:
|
Credential Access |
Compliance use cases
Auditing user activity is essential not only for terminal servers but also for all devices, applications, and servers within your network. Maintaining compliance goes beyond individual platforms; it involves a comprehensive approach that includes monitoring and managing all devices, applications, and servers across the entire network.
| Compliance requirements: Solution mapping for terminal servers | |||
|---|---|---|---|
| EventLog Analyzer capabilities | Regulatory mandates | Requirements | |
| Summary reports and alerts | Rules | ||
|
|||
|
FISMA |
|
||
|
PCI-DSS |
|
||
|
SOX |
|
||
|
HIPAA |
|
||
|
GLBA |
|
||
|
ISO 27001:2013 |
|
||
|
ISLP |
|
||
|
GDPR |
|
||
|
NRC |
|
||
|
NERC |
|
||
|
PDPA |
|
||
|
NIST CSF |
|
||
|
QCF |
|
||
|
TISAX |
|
||
|
SAMA |
|
||
|
ECC |
|
||
|
PDPL |
|
||
|
UAE-NESA |
|
||
