• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 886
  • Last Modified:

How do i stop phantom ts users connecting via rdp on server 2003?

My terminal server seems to be creating phantom users logged in via rdp.
This causes my system to slow, stop responding to my valid client users.
The phantom users have no client name, no ip address,
I believe the server is creating these phantoms, because any client logged in thru rdp, i can verify their computer name, their ip address and the services they are running.

I have been working with Microsoft support for over a month and try cannot figure out the problem.
  • 3
  • 3
3 Solutions
What shows when you run netstat -na | find "3389" ???

It should list a number of connections (lines in the command) at the 3389 port... And it should show you where this connections are comming from...

If you run netstat -nab | find "3389", it would show you what is the process or service that is resonsible about the 3389 connections, but I think this will not be very important, since it will show you the Remote Desktop service.....

With this, I think we can start some more troubleshooting... Maybe discover from waht IP or service is comming from?

If it is from the address (itself, or loopback) maybe a rule in the windows firewall, or something like that should "partially fix" the issue...
SteveIT ManagerCommented:
If you use this - http://www.2x.com/securerdp/download.html you can restrict by IP.

Registration is free, i've used it in the past

The point is:
How the guy will restrict an IP that he doesn't know what is?

You can restric connections and IPs by the Windows Firewall rules, but at least you need to know the basic information.

My choice is that, if this guy have a Monitoring tool, or other "weird" service running on the internal network, it is trying to create sessions in RDP.

And, remember, at least as per I know, you cannot create a RDP connection without authentication, so... Maybe a security breach running? Yeah, needs troubleshoot.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

am5240Author Commented:
I am licensed for 10 users. I can see each valid user session by IP, by Client name,and processes the user is running.
The Phantom connections can reach as many as 15  and have no IP address, no client id name and the only processes running under those connections are winlogon.exe and csrss.exe.

When I try to disconnect the phantom session, the system stalls out, then returns an error "unable to disconnect"

I have attached a screen shot of the desktop which shows the valid users and the "phantom" users.

The problem is only fixed by restarting the server, and it occurs one to two times a weeek.

My server has been operating two years, and this issue started about 6 months ago. At First rarly, now it is a weekly occurance.

What I see in TS Manager is 10 to 15 phantom sessions, and when I look at their properties, I find no client name or originating IP address, so it seems the TS is creating these connections. MY Router is not detecting these connections or loggin them as connections.

When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it.

thanks for the help. This is a retail POS TS and RDP is the method of connecting for our branch locations. Even if I VPN or provide IP validation to my branch users, how will the restrict by IP stop this system generated connections. ? Screenshot of Phantom rdp connections
am5240Author Commented:
Unable to determin a solution to the problem based on the info provided.
"When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it."

Yes, when you run a Command Prompt command, outside the Command Prompt (in "RUN", for example), you get the result this way.

Open the Command Prompt and run the commands again, you will be able to see where the connections are generated from.
am5240Author Commented:
Yes, Thanks for the reminder.
At his point I see 6 authorized users established, and one listner 0.0.0:3389 " Listening".

When the probelm recurs I will run the cmd and see if it reveals further info on the Phantoms.
thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now