Login to a remote desktop using RDP changes the user associated to an IP address

 

Introduction

If you log into a remote host using Remote Desktop Protocol (RDP), and the remote username is different than your user, FireSIGHT System changes the IP address of the user that is associated with your IP address on the FireSIGHT Management Center. It causes change in permissions for the user in relation to Access Control rules. You will notice incorrect user is associated with workstation. This document provides a solution for this issue.

 

Prerequisites

Cisco recommends that you have knowledge on FireSIGHT System and User Agent.

Note: The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Root Cause

 

This issue occurs due to the way Microsoft Active Directory(AD) logs RDP authentication attempts to the Windows Security Logs on the Domain Controller. AD logs the authentication attempt for the RDP session against the originating host IP address rather than the RDP endpoint you are connecting to. If you are logging into the remote host with a different user account, this will change the user associated with your original workstation's IP address.

 

Verification

 

To verify this is what is occurring, you can verify that the IP address from the logon event from your original workstation and the RDP remote host have the same IP address.

To find these events, you will need to follow the below steps:

Step 1: Determine the Domain Controller that you host is authenticating against:

Run the following command:

 

nltest /dsgetdc:<windows.domain.name>

Example output:

C:\Users\WinXP.LAB>nltest /dsgetdc:support.lab
           DC: \\Win2k8.support.lab
      Address: \\192.X.X.X
     Dom Guid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
     Dom Name: support.lab
  Forest Name: support.lab
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
 CLOSE_SITE FULL_SECRET WS 0x4000
The command completed successfully

The line that starts "DC:" will be the name of the Domain Controller and the line that starts "Address:" will the IP address.

Step 2: Using RDP log into the Domain Controller identified in Step 1

Step 3: Go to Start > Administrative Tools > Event Viewer.

Step 4: Drill down to Windows Logs > Security.

Step 5: Filter for the IP address of your workstation by clicking Filter Current Log, clicking the XML tab, and clicking edit query.

Step 6: Enter the following XML query, substituting your IP address for <ip address>

 

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='IpAddress'] and(Data='<IP address>')]]
</Select> 
</Query>
</QueryList>

Step 7: Click on the Logon Event and click on the Details tab.

An example of output:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" 
Guid="{XXXXXXXX-XXX-XXXX-XXX-XXXXXXXXXXXX}"/>
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2014-07-22T20:35:12.750Z" />
<EventRecordID>4130857</EventRecordID>
<Correlation />
<Execution ProcessID="576" ThreadID="704" />
<Channel>Security</Channel>
<Computer>WIN2k8.Support.lab</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXX</Data>
<Data Name="TargetUserName">WINXP-SUPLAB$</Data>
<Data Name="TargetDomainName">SUPPORT</Data>
<Data Name="TargetLogonId">0x13c4101f</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName" />
<Data Name="LogonGuid">{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.0.2.10</Data>
<Data Name="IpPort">2401</Data>
</EventData>

Complete these same steps after logging in via RDP and you will notice that you will receive another logon event(Event ID 4624) with the same IP address as shown by the following line from the logon event XML data from the original logon:

<Data Name="IpAddress">192.x.x.x</Data>

Solution

To mitigate this issue, if you are using User Agent 2.1 or above, you can exclude any accounts that you will
be using primarily for RDP in the User Agent Configuration.

Step 1: Log into the User Agent Host.

Step 2: Launch the User Agent user interface.

Step 3: Click on the Excluded Usernames tab.

Step 4: Enter all usernames you wish to exclude.

Step 5: Click Save.

Users entered in this list do not generate logon events on the FireSIGHT Management Center and are not be
associated to IP addresses.