COMMAND

	Eventlog deception

SYSTEMS AFFECTED

	 Windows 2000 (All service pack levels) 

	 Windows XP

	

PROBLEM

	Based      on      Xato      Network      Security      advisory      at
	[http://www.xato.net/reference/xato-112001-01.txt] :
	

	Terminal Server records client connection not based on  the  TCP  header
	IP adress,  but  on  the  datagram  of  Remote  Desktop  Protocol  which
	includes client name and IP.
	

	Hence it is possible to fool the logs of the TSE server by modifying  Ip
	value passed on in RDP.

SOLUTION

	Nothing yet.