Channels:
Microsoft-Windows-TerminalServices-Gateway/Operational.
Events: 200, 300, 302, 303, 308, 312, 313.
Microsoft-Windows-TerminalServices-Gateway/Operational.
Events: 200, 300, 302, 303, 308, 312, 313.
Overview
Remote Desktop Gateway is a Windows server role that implements the
Remote Desktop Protocol (RDP) over HTTPS to establish an encrypted
connection. The gateway can be Internet facing to allow remote users to access
internal network resources through RDP.
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-TerminalServices-Gateway/Operational |
Default configuration | Event 200: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy requirements and was therefore authorized to access the TS Gateway server. Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host, and authentication protocol used (such as NTLM). |
Microsoft-Windows-TerminalServices-Gateway/Operational |
Default configuration | Event 300: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy requirements and was therefore authorized to connect to <REMOTE_HOST_FQDN>. Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host and remote host (the user is connecting to through the Remote Desktop Gateway). |
Microsoft-Windows-TerminalServices-Gateway/Operational |
Default configuration | Event 302: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> connected to <REMOTE_HOST_FQDN>. Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host and remote host (the user is connecting to through the Remote Desktop Gateway). |
Microsoft-Windows-TerminalServices-Gateway/Operational |
Default configuration | Event 303: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> disconnected from <REMOTE_HOST_FQDN>. Additionnal payloads: Before <DOMAIN>\<USERNAME> disconnected, the client transferred <BYTES_SENT> bytes and received <BYRES_RECEIVED> bytes. The client session duration was <SESSION_DURATION> seconds. Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host and remote host (the user is connecting to through the Remote Desktop Gateway). Metrics about the Remote Desktop session: bytes sent and received, and duration in seconds. |
Microsoft-Windows-TerminalServices-Gateway/Operational |
Default configuration | Event 312: <USERNAME>@<DOMAIN> on client computer <SOURCE_IP>:<SOURCE_PORT> has initiated an outbound connection that has yet to be authenticated. Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host. |
Microsoft-Windows-TerminalServices-Gateway/Operational |
Default configuration | Event 313: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> has initiated an inbound connection that has yet to be authenticated. Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host. le |
References
View on GitHub