Invalid terminal name appeared in audit log when same protected file accessed via RDP.

Document ID : KB000046450
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem: 

 When customer login server machine via RDP from 1st computer, file is accessed via Explorer.

 After logout this session and login same user from another node, 2nd computer.

 And then he accesses same files via Explorer, accessed terminal name is mixture both 1st and 2nd computer in audit log.

 

 It seems that files access from 2 machines. 
  
 This problem is occurred by using Explorer only.
 If user access via command prompt or another application, such as notepad.exe, the problem does not occur.
 

Environment: 

 OS: Windows 2012 R2 SE 
 Prod: CA Privileged Identity Manager r12.8 SP1 
 

Cause:

 This is caused by Windows and Explorer's behavior

 Windows OS create multiple logon session via RDP. 

 session is closed by logoff via RDP but some session is remained and active as OS behavior. 

 

 User logon via RDP from 1st machine and logoff on RDP session. 

 And then some session is closed but some session is remained and active for first machine. 

 

 After that,  same local user  logon via RDP from 2nd computer  and access same file. 

 It may create some session by OS. 

 But file access by Explorer with old remained session. 

 So, PIM find old machine name while accessing file and record it in audit log. 

 

 

Resolution: 

 This is limitation of product.

 

 

Additional Information:  

 
Example for this problem: 
 
Sample Environment:
PIMSrv: PIM running machine
RDPCl01:  RDP client 1
RDPCl02:  RDP client 2
 
Example Audit log and operation steps:
(Bold record seems to be strange)
1. login to PIMSrv via RDP from RDPCl01 
 
$DateTime P LOGIN PIMSrv\LocalUsr 7bd5e0f1-cac6-4e45-99e8-83f29b11bc80 1059 2 RDPCl01 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr e989f2a9-91cd-415a-9742-ca35a12c323f 1059 2 RDPCl01 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 59 2 PIMSrv C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 1059 2 RDPCl01 Terminal Services 
 
2. access protected file via Explorer
 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup   C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup\Recoveried C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup\Recoveried\sample C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read, Create   57  3 C:\Protected\desktop.ini C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr                 
 
3. logoff from start menu and disconnect RDP session
... 
$DateTime O LOGOUT PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 49 2 RDPCl01 Terminal Services 
 
4. login as same local user at step 1 to PIMSrv via RDP from RDPCl02
 
$DateTime P LOGIN PIMSrv\LocalUsr 22a29860-1f8c-46b7-a4ec-cbd166b6f3f1 1059 2 RDPCl02 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 46057ac5-99a4-4f0b-9013-275282e3ab2b 1059 2 RDPCl02 C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 59 2 PIMSrv C:\Windows\System32\lsass.exe 
$DateTime P LOGIN PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 1059 2 RDPCl02 Terminal Services 
 
5. access protected same file at step 2 via Explorer
 
$DateTime P FILE  PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read, Create   57  3 C:\Protected\desktop.ini C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read, Create   57  3 C:\Protected\Backup\desktop.ini C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read       57  3 C:\Protected\Backup   C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr                 
$DateTime P FILE  PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read       57  3 C:\Protected\Backup   C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr