@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

RDP and ID 1149 "Remote Desktop Services: User authentication succeeded:"

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Summary:

  • Windows 10: ID 1149 is recorded when Alice's account is successfully logged on via RDP.
  • Windows 10: If you specify the RestrictedAdmin option, the username and domain will be blank.
  • Windows 10: If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.

----------

What kind of user operation is event ID 1149 recorded? Let's check the record in Windows 10 environment.

Enable Remote Desktop on Windows 10 (1809). NLA is ON.

f:id:hideakii:20190323075527p:plain

Start "mstsc.exe" on Windows Server 2019. IP address is specified as the connection destination.

f:id:hideakii:20190323080225p:plain

If the Alice account is successfully logged on, ID 1149 is recorded in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational".

The ID 1149 is not recorded if the authentication fails, such as the user has made a mistake in the password.

f:id:hideakii:20190323080425p:plain

Disconnect RDP connection and connect again.ID 1149 is recorded.

f:id:hideakii:20190323080752p:plain

Use Remmina as an RDP client. If logon is successful, ID 1149 is recorded.

f:id:hideakii:20190323081731p:plain

f:id:hideakii:20190323081746p:plain

Executed with the /restrictedadmin option specified in mstsc. (I have changed the registry settings and enabled RestrictedAdmin mode.)

f:id:hideakii:20190323082350p:plain

If the logon is successful, the ID 1149 will be recorded but the username and domain will be blank.

f:id:hideakii:20190323083243p:plain

When port forwarding is used at the loopback address.

f:id:hideakii:20190323085455p:plain

Another user is logged on, and session arbitration occurs and select "NO". Also in this case, ID 1149 is recorded. (When this screen is displayed, the Alice account has successfully logged on. ID 4624 is recorded.)

f:id:hideakii:20190323090639p:plain

 

Next, turn off NLA.

f:id:hideakii:20190323084127p:plain

Use rdesktop as an RDP client. In this case, the ID 1149 is not recorded even if the Alice account is successfully logged on.

f:id:hideakii:20190323084406p:plain

<add>

In Windows 7 RDP, you can see the following screen. However, I was not able to reproduce the same situation on Windows 10.

f:id:hideakii:20190323113805p:plain

So I got a comment from @grayfold3d ! Thank you!
For details, please refer to his tweets.

I created an .RDP file and added the following to the end.

 enablecredsspsupport:i:0

The following screen I was expecting was displayed! 

f:id:hideakii:20190323114719p:plain

So I checked the event log. ID 1149 was not recorded.

After the above screen is displayed, even if Alice successfully logs on, ID 1149 is not recorded.

</add> 

 

[Note]
The recording pattern of ID 1149 was different between Windows 7 and Windows 10.

 

PS
By the way, I did not know the mstsc "/public" option. The option suppresses the registry and bitmap cache.

https://yamanxworld.blogspot.com/2015/01/public.html

 

Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC

Reference URL:

ponderthebits.com

cyberforensicator.com

https://www.13cubed.com/downloads/rdp_flowchart.pdf

RDP Event Log DFIR
https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
dfironthemountain.wordpress.com

 

f:id:hideakii:20190318210122j:plain