Logon Analyzer
Active Directory based!
Deployed in minutes!

Copyright © 2015 by VisionIT  · Privacy Policy · Terms Of Service ·  E-Mail: support@vision-it.org
LOGON ANALYZER SERVER INSTALLATION OVERVIEW

The Logon Analyzer Server runs as a service on one of the computers in your Active Directory. This computer can either be a workstation (windows XP, windows Vista, windows 7, windows 8 or windows 10), or a server (windows 2000, windows 2003, windows 2008 or windows 2012). In order to install a service onto a windows computer, be it workstation or server, you need to have Local Administrator rights on that computer.

So first, make sure you have started the console with credentials that give you local administrator rights on the server to which you want to install the Logon Analyzer Server. If you haven't started the console with local admin rights, you can enter alternate credentials via 'Options\Enter Alternative Credentials'.

You can install the Logon Analyzer Server by clicking on the 'Server' icon in the root form. Then click on the 'Install Service' icon. You can either enter the name of the server to which you want to install the Logon Analyzer Server, or you can search for it in your Active Directory by clicking on 'Find'.

Then open 'Settings'. You must choose two port addresses, one for communication between your Logon Analyzer Server and your Logon Analyzer Clients, and one for communication between your Logon Analyzer Server and your Logon Analyzer Consoles.

You also need to define at least one session restriction via 'Session Restrictions'. Session restrictions define who can communicate from a console with a Logon Analyzer Server. There are three restriction options available:


'Only the following user(s) can console to this server'

If you leave this restriction empty, then anyone in your Active Directory can set up a session with the Logon Analyzer Server you are about to install, and anyone can retrieve logon data, and, for instance, shutdown computers which have the Logon Analyzer Client installed.

If you want to restrict console access to the Logon Analyzer Server to a select group of people, you must enter Active Directory users and/or groups here. Only the users and/or the user members of the groups you enter here will be allowed to communicate with the Logon Analyzer Server you are about to install.


'Only the following computer(s) can console to this server'

If you leave this restriction empty, then a session with the Logon Analyzer Server can be set up from any computer in your Active Directory, and logon data can be retrieved from any computer, or, for instance, computers which have the Logon Analyzer Client installed can be shut down from any computer in your Active Directory.

If you want to restrict console access to the Logon Analyzer Server from a select group of computers, you must enter Active Directory computers and/or groups here. Only from the computers and/or the computer members of the groups you enter here will it be allowed to communicate with the Logon Analyzer Server you are about to install.


'Only computers in the following subnet(s) can console to this server'

If you leave this restriction empty, then a session with the Logon Analyzer Server can be set up from any computer in the world, as long as credentials are used from a user in your Active Directory (or, if you added a group to the user restriction, with the credentials of a member of this group).

Use this option to restrict access to the Logon Analyzer Server to only certain computers in one of your subnets, or to certain computers in your network.


Best practice: to gain the best security possible, use all three restrictive options.

1. Restrict on users by creating a dedicated group in your Active Directory and making only those users a member that are allowed to set up a console session with your Logon Analyzer Server. If you use this scenario, you can easily allow or disallow access to your Logon Analyzer Server by adding and removing users to and from this group. If you grant access via users, you have to update the service in order for this user to gain access.

2. Restrict on computers by creating a dedicated group in your Active Directory and making only those computers a member from which it is allowed to start a console session with your Logon Analyzer Server. If you use this scenario, you can easily allow or disallow access to your Logon Analyzer Server by adding and removing computers to and from this group. If you grant access via computer objects, you have to update the service in order for a user to gain access from that computer.

3. Finally, at least restrict on the IP range of your network (the B or C network address of your network), so that no one can access your Logon Analyzer Server from outside your network even if they have somehow obtained the Active Directory credentials of one of the users you have added to the user restriction.

P.S. Make sure that you configure the firewall on your Logon Analyzer Server so that it allows both inbound and outbound IP traffic over the ports you select.