Rexxer

Some tips for me and other

Events + Scheduler + Email when someone is connected via RDP

20/03/2015 admin News, Windows

Just edit and import XML-file into Task Scheduler.

There is XML:

<?xml version=”1.0″ encoding=”UTF-16″?>
<Task version=”1.2″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>
<RegistrationInfo>
<Date>2013-07-26T06:55:11.4860707</Date>
<Author>Me</Author>
<Description>Sends emails when server is accessed via RDP (Flag 10 – Remote connect).</Description>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;&lt;Query Id=”0″ Path=”Security”&gt;&lt;Select Path=”Security”&gt;*[System[(EventID=4624)]] and *[EventData[Data[@Name=’LogonType’] and (Data=10)]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
<ValueQueries>
<Value name=”IpAddress”>Event/EventData/Data[@Name=”IpAddress”]</Value>
<Value name=”TargetUserName”>Event/EventData/Data[@Name=”TargetUserName”]</Value>
<Value name=”WorkstationName”>Event/EventData/Data[@Name=”WorkstationName”]</Value>
<Value name=”eventRecordID”>Event/System/EventRecordID</Value>
</ValueQueries>
</EventTrigger>
</Triggers>
<Principals>
<Principal id=”Author”>
<UserId>Administrator</UserId>
<LogonType>Password</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context=”Author”>
<SendEmail>
<Server>192.168.0.1</Server>
<Subject>[Logon Notice] $(WorkstationName) has been accessed via RDP</Subject>
<To>admin@firm.com</To>
<From>server@firm.com</From>
<Body>RDP Login Successful
EventID: $(eventRecordID)
System: $(WorkstationName)
From: $(IpAddress)
By: $(TargetUserName)</Body>
<HeaderFields />
</SendEmail>
</Actions>
</Task>

P.S.: mail server can be like: 192.168.0.1:28

Comments are currently closed.

Recent Posts

Categories

Meta

Rexxer

Designed by Ugesi. Powered by WordPress.