Jump to content


Photo

DC Agent I - Logon Type 10

DCAgent

1 reply to this topic

#1 Christian Wallner

Christian Wallner
  • Members
  • 7 posts
  • LocationVienna, Austria

Posted 02 January 2013 - 03:50 AM

Hello all,

after having some fun with the DC Agent, I'd like to request two "features" (aside from the already known issue of terminal services clients). Here's the first one, there's going to be another post for the second one:

I'd like to request that the DC Agent isn't using Logon Type 10 in event 4624 anymore. Here's why:

If you're connecting from a client with RDP to a DC on which a DC Agent is installed, the DC Agent reports to the firewall that the connected (admin) user is logged on the client IP. Here's an example:

Client IP: 10.0.0.181 (User Andrew)
DC IP: 10.0.0.10 (User Admin)

Andrew is logged on to the client. From there he's establishing a RDP session to the DC, using the user Admin. Due to the logon, event 4624 is created on the DC - which is being used by the DC Agent.

Logon Type: 10
New Logon:
Security ID: TEST\admin
Account Name: admin
Account Domain: TEST

Network Information:
Workstation Name: DC001
Source Network Address: 10.0.0.181


Because of this event, the DC Agent is reporting the firewall that user Admin is logged on to the IP 10.0.0.181 - which is simply wrong, as Andrew is still logged on to the client. By ignoring logon type 10 (which indicates RDP sessions) this problem should be solved.

Thanks / Best regards,
Christian.

#2 Cain Random

Cain Random
  • Barracuda Team Members
  • 248 posts

Posted 29 April 2013 - 09:40 AM

Thanks, Christian. We'll look into it.



Reply to this topic