I think someone is spying on me via Remote Desktop at work.

[NuclearNed]

This might just be paranoia, but all my instincts are screaming that someone is spying on me using Remote Desktop. I'm pretty sure that I know who it is, too. There is a desktop support guy with whom I am working at night. This guy is kind of gossipy, and likes to know all the dirt he can on everyone. It doesn't take much imagination to see him spying on people (he has the access rights needed to use RD as he pleases).

This happens only when I am working on the same shift as this guy, and it has happened several times. Also, I know for a fact that he has remoted into my pc - he admitted it once. My pc out of the blue gets chronically slow for several seconds, and my hard drive is pegged out. Then, as suddenly as it started, the slowness goes away. It seems to me that my pc is responding exactly the same way as the pc's that I remote into.

Is it possible for him to remote into my pc without any obvious signs or notification?

Is there any software or method I can use to detect a pc network ID or user ID if someone is trying to initiate a session?

Is there any way I can force a disconnect or not allow a connect?

 

[toekramp]

RDP would kick you out when he logged in. He could have installed some monitoring software. A decent firewall will do ya good.

 

[Juice Box]

Disable remote desktop in your system settings...or just create one user profile for it that only you know.

 

[nakedfrog]

Get ProcessExplorer and ProcessMonitor.

 

[Juddog]

Originally posted by: NuclearNed
This might just be paranoia, but all my instincts are screaming that someone is spying on me using Remote Desktop. I'm pretty sure that I know who it is, too. There is a desktop support guy with whom I am working at night. This guy is kind of gossipy, and likes to know all the dirt he can on everyone. It doesn't take much imagination to see him spying on people (he has the access rights needed to use RD as he pleases).

This happens only when I am working on the same shift as this guy, and it has happened several times. Also, I know for a fact that he has remoted into my pc - he admitted it once. My pc out of the blue gets chronically slow for several seconds, and my hard drive is pegged out. Then, as suddenly as it started, the slowness goes away. It seems to me that my pc is responding exactly the same way as the pc's that I remote into.

Is it possible for him to remote into my pc without any obvious signs or notification?

Is there any software or method I can use to detect a pc network ID or user ID if someone is trying to initiate a session?

Is there any way I can force a disconnect or not allow a connect?

If you're suspicious at any time that he is doing something, just open a CMD window, type in "netstat -a" and see if his IP or computer name is listed there. The command will show all network ports that are open on your computer and where they are connected to.

If it's not on there, then chances are he's not doing anything with your PC. His computer name / IP would show up clearly if he was, since he is in the same office / floor as you from the sound of it.

If you don't know his computer name, go over to his workstation sometime when it's off or locked and look at the windows login screen. Click the drop down list of "log on to" there should be the computer name listed there. Go back to your computer and ping that computer name, then you will have his IP address and computer name.

 

[Juddog]

Originally posted by: toekramp
RDP would kick you out when he logged in. He could have installed some monitoring software. A decent firewall will do ya good.

Windows RDP will kick the user out, this is true, but if he's using software such as Dameware, he will not be kicked out (and the dameware client can be set to uninstall when he exits the session, so as to not leave behind anything in add / remove programs).

 

[mzkhadir]

unless they are using dameware mini remote or timbuktu

 

[NuclearNed]

Ok, I looked at the Remote Control applet under system settings. I am a local admin on this box, but everything in this applet is grayed out, so I can't change anything. It appears that my box is set to allow remote administration with no visual indicators at any time.

This sucks. If he is spying on me, he is breaking company security rules. I would love to catch him red-handed and get a screen capture of it.

 

[Gunslinger08]

Originally posted by: NuclearNed
Ok, I looked at the Remote Control applet under system settings. I am a local admin on this box, but everything in this applet is grayed out, so I can't change anything. It appears that my box is set to allow remote administration with no visual indicators at any time.

This sucks. If he is spying on me, he is breaking company security rules. I would love to catch him red-handed and get a screen capture of it.

Start -> Control Panel -> Administrative Tools -> Terminal Services Manager -> See if anyone else is logged into your box.

 

[Juddog]

Originally posted by: NuclearNed
Ok, I looked at the Remote Control applet under system settings. I am a local admin on this box, but everything in this applet is grayed out, so I can't change anything. It appears that my box is set to allow remote administration with no visual indicators at any time.

This sucks. If he is spying on me, he is breaking company security rules. I would love to catch him red-handed and get a screen capture of it.

If he uses the windows RDP it will kick you out of your current session if he tries to log in with it, even if he has permission.