Invalid terminal name appeared in audit log when same protected file accessed via RDP.
search cancel

Invalid terminal name appeared in audit log when same protected file accessed via RDP.

book

Article ID: 46450

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

 When customer login server machine via RDP from 1st computer, file is accessed via Explorer.

 After logout this session and login same user from another node, 2nd computer.

 And then he accesses same files via Explorer, accessed terminal name is mixture both 1st and 2nd computer in audit log.

 

 It seems that files access from 2 machines. 
  
 This problem is occurred by using Explorer only.
 If user access via command prompt or another application, such as notepad.exe, the problem does not occur.
 
 
 

Environment

 OS: Windows 2012 R2 SE 
 Prod: CA Privileged Identity Manager r12.8 SP1 

Cause

This is caused by Windows and Explorer's behavior

 Windows OS create multiple logon session via RDP. 

 session is closed by logoff via RDP but some session is remained and active as OS behavior. 

 

 User logon via RDP from 1st machine and logoff on RDP session. 

 And then some session is closed but some session is remained and active for first machine. 

 

 After that,  same local user  logon via RDP from 2nd computer  and access same file. 

 It may create some session by OS. 

 But file access by Explorer with old remained session. 

 So, PIM find old machine name while accessing file and record it in audit log. 

 

Resolution

 This is limitation of product.

Additional Information

Example for this problem: 
 
Sample Environment:
PIMSrv: PIM running machine
RDPCl01:  RDP client 1
RDPCl02:  RDP client 2
 
Example Audit log and operation steps:
(Bold record seems to be strange)
1. login to PIMSrv via RDP from RDPCl01 
 
$DateTime P LOGIN PIMSrv\LocalUsr 7bd5e0f1-cac6-4e45-99e8-83f29b11bc80 1059 2 RDPCl01 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr e989f2a9-91cd-415a-9742-ca35a12c323f 1059 2 RDPCl01 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 59 2 PIMSrv C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 1059 2 RDPCl01 Terminal Services 
 
2. access protected file via Explorer
 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup   C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup\Recoveried C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup\Recoveried\sample C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read, Create   57  3 C:\Protected\desktop.ini C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
 
3. logoff from start menu and disconnect RDP session
... 
$DateTime O LOGOUT PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 49 2 RDPCl01 Terminal Services 
 
4. login as same local user at step 1 to PIMSrv via RDP from RDPCl02
 
$DateTime P LOGIN PIMSrv\LocalUsr 22a29860-1f8c-46b7-a4ec-cbd166b6f3f1 1059 2 RDPCl02 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 46057ac5-99a4-4f0b-9013-275282e3ab2b 1059 2 RDPCl02 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 59 2 PIMSrv C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 1059 2 RDPCl02 Terminal Services 
 
5. access protected same file at step 2 via Explorer
 
$DateTime P FILE  PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read, Create   57  3 C:\Protected\desktop.ini C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read, Create   57  3 C:\Protected\Backup\desktop.ini C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read       57  3 C:\Protected\Backup   C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup   C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr