Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do i stop phantom ts users connecting via rdp on server 2003?

Posted on 2010-11-18
7
Medium Priority
?
874 Views
Last Modified: 2013-11-21
My terminal server seems to be creating phantom users logged in via rdp.
This causes my system to slow, stop responding to my valid client users.
The phantom users have no client name, no ip address,
I believe the server is creating these phantoms, because any client logged in thru rdp, i can verify their computer name, their ip address and the services they are running.

I have been working with Microsoft support for over a month and try cannot figure out the problem.
0
Comment
Question by:am5240
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
thiagotietze earned 668 total points
ID: 34170292
What shows when you run netstat -na | find "3389" ???

It should list a number of connections (lines in the command) at the 3389 port... And it should show you where this connections are comming from...

If you run netstat -nab | find "3389", it would show you what is the process or service that is resonsible about the 3389 connections, but I think this will not be very important, since it will show you the Remote Desktop service.....

With this, I think we can start some more troubleshooting... Maybe discover from waht IP or service is comming from?

If it is from the 0.0.0.0 address (itself, or loopback) maybe a rule in the windows firewall, or something like that should "partially fix" the issue...
0
 
LVL 17

Assisted Solution

by:Steve
Steve earned 332 total points
ID: 34171683
If you use this - http://www.2x.com/securerdp/download.html you can restrict by IP.

Registration is free, i've used it in the past
0
 
LVL 6

Assisted Solution

by:thiagotietze
thiagotietze earned 668 total points
ID: 34172114
sgsm81:

The point is:
How the guy will restrict an IP that he doesn't know what is?

You can restric connections and IPs by the Windows Firewall rules, but at least you need to know the basic information.

My choice is that, if this guy have a Monitoring tool, or other "weird" service running on the internal network, it is trying to create sessions in RDP.

And, remember, at least as per I know, you cannot create a RDP connection without authentication, so... Maybe a security breach running? Yeah, needs troubleshoot.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:am5240
ID: 34173813
I am licensed for 10 users. I can see each valid user session by IP, by Client name,and processes the user is running.
The Phantom connections can reach as many as 15  and have no IP address, no client id name and the only processes running under those connections are winlogon.exe and csrss.exe.

When I try to disconnect the phantom session, the system stalls out, then returns an error "unable to disconnect"

I have attached a screen shot of the desktop which shows the valid users and the "phantom" users.

The problem is only fixed by restarting the server, and it occurs one to two times a weeek.

My server has been operating two years, and this issue started about 6 months ago. At First rarly, now it is a weekly occurance.

What I see in TS Manager is 10 to 15 phantom sessions, and when I look at their properties, I find no client name or originating IP address, so it seems the TS is creating these connections. MY Router is not detecting these connections or loggin them as connections.

When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it.

thanks for the help. This is a retail POS TS and RDP is the method of connecting for our branch locations. Even if I VPN or provide IP validation to my branch users, how will the restrict by IP stop this system generated connections. ? Screenshot of Phantom rdp connections
0
 

Author Closing Comment

by:am5240
ID: 34173886
Unable to determin a solution to the problem based on the info provided.
0
 
LVL 6

Expert Comment

by:thiagotietze
ID: 34173958
"When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it."

Yes, when you run a Command Prompt command, outside the Command Prompt (in "RUN", for example), you get the result this way.

Open the Command Prompt and run the commands again, you will be able to see where the connections are generated from.
0
 

Author Comment

by:am5240
ID: 34174097
Yes, Thanks for the reminder.
 
At his point I see 6 authorized users established, and one listner 0.0.0:3389 " Listening".

When the probelm recurs I will run the cmd and see if it reveals further info on the Phantoms.
thank you
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Learn about cloud computing and its benefits for small business owners.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question