I received an interesting alert today, indicating that a host in a conference room was attempting to reach out to a site hosting an exploit kit. This is not the first alert I have received on this machine, so I was a little puzzled. So, I went to the machine in order to remediate; and noticed that the AV software on the machine had blocked the connection attempt. I ran both AV and Malwarebytes to ensure nothing is found.
The machine was clean.
Just before I logged out, I noticed that Windows Update had run and needed to restart the computer. As I clicked to restart, the warning notice that other people connected to the machine would lose their connection. Hmmm....what's really going on here?
A little digging showed that you can find out who is/has logged into a machine via RDP by examining the Event Logs. Open Event Viewer, and navigate to:
Applications and Services Log -> Microsoft -> Windows -> Terminal Services - LocalSessionManager.
There you will find events for who logged in, with what account, and from what source.
Now to go find some users......
(And yes, we need to fix our policy on conference room computers...but that's a battle for another day.)