Capture windows server users

[gusadolfo]

Hi!! I'm new to the group and to cassia, i found it through a C# forum
and i was wondering if you guys could help me out with a problem i
have. I'm developing an tray application that captures the logged
users in my win server 2008 and check their account status, now the
person who reply to my post at the C# forum he told me: "If you don't
want to deal with P/Invoke then I'd download Cassia" so i did, but i
don't know how to use it or even where to start, i already have a
working tray application. I was wondering if you guys could give me a
few pointers on how i could do this. I would really appreciate your
help.

Thanks Gustavo.

[Dan Ports]

Gustavo,

What do you mean by "check their account status"?

The code snippet on the Cassia home page (http://code.google.com/p/cassia/) shows how to list the sessions on a remote server -- does that answer your question?

Dan

--
You received this message because you are subscribed to the Google Groups "Cassia Users" group.
To post to this group, send email to cassia...@googlegroups.com.
To unsubscribe from this group, send email to cassia-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cassia-users?hl=en.

[Gustavo Sanchez]

Hi!! thx for the reply, when i say "check their status" i mean if their account is blocked or something, and i saw the code snippet on the cassia home page, but my question is: does it work for multiple sessions?? and for it to work do i need to add a library or something??


--

Atte. Gustavo Sánchez

[Dan Ports]

Gustavo,

You can check various properties of a user account using classes in the System.DirectoryServices.AccountManagement namespace (in .NET 3.5+); for example, check AuthenticablePrincipal.Enabled to see whether a given account is active or disabled.

I'm not sure what you mean by "does it work for multiple sessions" -- the code snippet on the home page lists all of the sessions on the machine specified by the call to GetRemoteServer(). For that snippet to work, you'd need to download Cassia, extract the contents of the zip file, add a reference to Cassia.dll in the Bin folder, and add a "using Cassia" import.

Dan

[Gustavo Sanchez]

Hi i think i finally got it, using the code snippet i got it to put the user's info in the debug console but i've been trying to put it on a .txt, so i can test it on the server, but it doesn't work using:

server.Open();

                System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\log.txt", true);

                foreach (ITerminalServicesSession session in server.GetSessions())

                {

                    file.WriteLine("Session ID: " + session.SessionId);

it creates the .txt file but it's empty

--

Atte. Gustavo Sánchez

[Dan Ports]

Gustavo,

Are you calling file.Close or file.Dispose to close the stream when you are finished with it? It would probably be best to put the file access inside a using block like so:

server.Open();
using (System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\log.txt", true))
{
    foreach...

Dan

[srikanth gundala]

Gustavo,

  Are you flushing the data to the file if not include
 
  file.Flush();

Regards,
Srikanth G.

[Gustavo Sanchez]

Thx that worked!! now i need to find the connection string so instead of saving it in a .txt y save it in my sql server 2008 data base


--

Atte. Gustavo Sánchez

[Gustavo Sanchez]

Hi this is what i get in my log file:

Session ID: 0

ClientName: 

UserAccountD: 

UserName: 

ClientIPAddress: 

IdleTime: 00:00:00

LoginTime: Disconnected

LoginTime: 

IdleTime: Services

 

Session ID: 1

ClientName: 

UserAccountD: COLIBRI0\Administrador

UserName: Administrador

ClientIPAddress: 

IdleTime: 00:00:58.2363310

LoginTime: Active

LoginTime: 16/11/2010 04:41:01 p.m.

IdleTime: Console

 

Session ID: 65536

ClientName: 

UserAccountD: 

UserName: 

ClientIPAddress: 

IdleTime: 00:00:00

LoginTime: Listening

LoginTime: 

IdleTime: RDP-Tcp

 

I'm only getting the admin account, i'm not getting the other users that are logged into the server

--

Atte. Gustavo Sánchez

[Dan Ports]

Gustavo,

Are you running your code with elevated privileges ("Run as administrator")?

Dan

[Gustavo Sanchez]

Yes even running it as admin i get the same info on the log


--

Atte. Gustavo Sánchez

[Dan Ports]

Do you see those users listed in the Remote Desktop Services Manager? Are you running your code manually or in response to some system event?

[Gustavo Sanchez]

here's the thing i think i didn't explain myself very well, so here's again: what i'm developing is a client-server system in which the client connects to the internet through the server and the server has an admin app that scans all the clients traffic and link it to each user, and that's what i need cassia to capture the users info and link it to their traffic. 


--

Atte. Gustavo Sánchez

[Dan Ports]

Are these clients connecting to the server via Remote Desktop? Cassia only enumerates Remote Desktop connections, not web logins or other sorts of connections.

[Gustavo Sanchez]

no they'll not connect via Remote Desktop, then Cassia isn't what i'm looking for. Do you know something i can use?


--

Atte. Gustavo Sánchez

[Dan Ports]

What kind of traffic are you trying to monitor?

[Gustavo Sanchez]

http, https, and ssh, those 3 for now, later on we'll add more protocols


--

Atte. Gustavo Sánchez

[Dan Ports]

Hm -- that's pretty general, so it's tough to give a specific answer. For HTTP(S), you could track users at the web application level (e.g. by adding logging to the application), at the web server level (e.g. by hooking into the internals of IIS/Apache/etc.), by parsing web log files, or by hooking into the OS network stack the way packet capture utilities do. I don't know much about SSH, so I can't comment on that.

[Gustavo Sanchez]

I'm going to use Windump for the packet sniffing i still need to parse all the info i get from it, but i need to capture somehow the user info that generates that traffic. There're 2 apps one on the client with the windump sniffing all the traffic and another one on the server that's the one the has all the user's info and compares with a traffic pattern we create with the old traffic generated and if it's off the pattern blocks the http/https/ssh port until it verifies the user's credential, that's pretty much what i'm trying to do, but how do i know which traffic belongs to which user??

You know i just realized that i could send the user info along with the traffic it generates to the server and work with it there i don't need to capture it on the network. But the problem is that when an user is blocked how do i tell the admin that it's blocked??

--

Atte. Gustavo Sánchez

[Dan Ports]

Gustavo,

Since this thread has gotten a bit beyond the capabilities of Cassia, it might be a good idea if you posted your questions on a more general site like stackoverflow so that you have more pairs of eyes looking at them.

Dan

[Gustavo Sanchez]

I'll guess i'll have to do that. Thanks a lot for all your help and your time i really appreciate it


--

Atte. Gustavo Sánchez