Terminal Server Logging on Workstations Is Important Too (Part 2)

In our previous post, Terminal Server Logging on Workstations Is Important Too, we discussed why the monitoring of Remote Desktop Sessions on workstations should not be neglected.  Now, let’s take a look at some of the reports built into Remote Desktop Reporter that can track that sort of activity.

The Terminal Server User Sessions Hourly Activity Report (click to view sample) is a wonderful way to track the hours of the day when a user is active in a particular Remote Desktop session on a particular workstation.  Paired with a filter that restricts the report data to a particular user, and a particular hour range in the day (e.g. normal business hours versus after hours, for instance), it’s easy to spot activity that is out of the ordinary.

Next, The Terminal Server Performance User Bandwidth Report (click again to view sample) provides you with RDP traffic statistics by user and server for each user session.  Both the total bytes transferred and the average number of bytes/sec over the Remote Desktop Protocol are displayed, so it is easy to pinpoint users who are consuming the most bandwidth in their sessions, and/or highlight a particular user session that used a much greater amount of bandwidth then most.

Finally, The Terminal Server Client Workstations and Addresses Report (click to view sample) displays all of the remote workstation names and IP addresses each Remote Desktop User is associated with.  Utilizing this report, you can quickly find out if your users are using non-corporate issued devices, or connecting from a previously unrecognized IP address.


Terminal Server Logging on Workstations Is Important Too

The traditional use case for reporting on Remote Desktop activity is to track the multitude of user sessions running simultaneously on a dedicated Terminal Server.  However, monitoring and tracking Remote Desktop activity on a workstation in many ways is just as important.

In the modern workplace, more and more companies allow their employees and contractors to access their work computers from home and other locations.  While there are numerous commercial solutions designed to allow employees to “take their desktop anywhere” – (Citrix’s XenDesktop immediately comes to mind) – not every organization has the extra budget to purchase additional software, so they instead rely on Microsoft’s built-in implementation of Remote Desktop on Windows workstations, paired up with a Firewall/VPN combo already protecting the corporate network.

In a typical setup, Worker X may need to work remotely for whatever reason (travel, flex time policies, etc), so they first connect into the corporate network using the a VPN connection across the firewall, and then fire up a Remote Desktop Client on their laptop or tablet to connect to their corporate workstation.

From here, an organization is very much in the dark unless they use a Terminal Services Logging and Reporting utility such as our Remote Desktop Reporter.  For instance…

1.)  What client device is Worker X using to connect to her corporate workstation?  Is it the company approved laptop with approved endpoint security solutions and encryption in place, or is it a personal laptop or tablet that happens to have an aftermarket RDP client installed…  Do you have any way of knowing?

2.)  How much bandwidth is Worker X using during the Remote Desktop session?  Is she streaming video across limited bandwidth over the firewall, using the highest quality color depth possible?  Is she transferring large files to or from her machine?  Does this jive with the network’s AUP (Acceptable Use Policy)?

3.)  Are these remote work sessions fruitful for Worker X?  Does the company have any way to audit or estimate the amount of time Worker X is actively working inside her session?  More importantly, is it fair to force high performing employees to work in the office when they could be more productive working from home, solely because your organization doesn’t have a way to audit their level of productivity?

4.)  Conversely, do you have employees who typically work 9-5 now suddenly accessing their systems outside of normal working hours (say between 12am and 3am at night)?  Are these sessions coupled with larger than normal amounts of data transfer over the RDP protocol?  Do you have an employee transferring sensitive data outside your network?

The above scenarios are just a few of the reasons why collecting and reporting on Remote Desktop session data from workstations is so vitally important.  In our next blog post, we’ll discuss a few of the reports found in Remote Desktop Reporter that can track the activity mentioned above.