Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do i stop phantom ts users connecting via rdp on server 2003?

Posted on 2010-11-18
7
Medium Priority
?
882 Views
Last Modified: 2013-11-21
My terminal server seems to be creating phantom users logged in via rdp.
This causes my system to slow, stop responding to my valid client users.
The phantom users have no client name, no ip address,
I believe the server is creating these phantoms, because any client logged in thru rdp, i can verify their computer name, their ip address and the services they are running.

I have been working with Microsoft support for over a month and try cannot figure out the problem.
0
Comment
Question by:am5240
  • 3
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
thiagotietze earned 668 total points
ID: 34170292
What shows when you run netstat -na | find "3389" ???

It should list a number of connections (lines in the command) at the 3389 port... And it should show you where this connections are comming from...

If you run netstat -nab | find "3389", it would show you what is the process or service that is resonsible about the 3389 connections, but I think this will not be very important, since it will show you the Remote Desktop service.....

With this, I think we can start some more troubleshooting... Maybe discover from waht IP or service is comming from?

If it is from the 0.0.0.0 address (itself, or loopback) maybe a rule in the windows firewall, or something like that should "partially fix" the issue...
0
 
LVL 17

Assisted Solution

by:Steve
Steve earned 332 total points
ID: 34171683
If you use this - http://www.2x.com/securerdp/download.html you can restrict by IP.

Registration is free, i've used it in the past
0
 
LVL 6

Assisted Solution

by:thiagotietze
thiagotietze earned 668 total points
ID: 34172114
sgsm81:

The point is:
How the guy will restrict an IP that he doesn't know what is?

You can restric connections and IPs by the Windows Firewall rules, but at least you need to know the basic information.

My choice is that, if this guy have a Monitoring tool, or other "weird" service running on the internal network, it is trying to create sessions in RDP.

And, remember, at least as per I know, you cannot create a RDP connection without authentication, so... Maybe a security breach running? Yeah, needs troubleshoot.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:am5240
ID: 34173813
I am licensed for 10 users. I can see each valid user session by IP, by Client name,and processes the user is running.
The Phantom connections can reach as many as 15  and have no IP address, no client id name and the only processes running under those connections are winlogon.exe and csrss.exe.

When I try to disconnect the phantom session, the system stalls out, then returns an error "unable to disconnect"

I have attached a screen shot of the desktop which shows the valid users and the "phantom" users.

The problem is only fixed by restarting the server, and it occurs one to two times a weeek.

My server has been operating two years, and this issue started about 6 months ago. At First rarly, now it is a weekly occurance.

What I see in TS Manager is 10 to 15 phantom sessions, and when I look at their properties, I find no client name or originating IP address, so it seems the TS is creating these connections. MY Router is not detecting these connections or loggin them as connections.

When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it.

thanks for the help. This is a retail POS TS and RDP is the method of connecting for our branch locations. Even if I VPN or provide IP validation to my branch users, how will the restrict by IP stop this system generated connections. ? Screenshot of Phantom rdp connections
0
 

Author Closing Comment

by:am5240
ID: 34173886
Unable to determin a solution to the problem based on the info provided.
0
 
LVL 6

Expert Comment

by:thiagotietze
ID: 34173958
"When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it."

Yes, when you run a Command Prompt command, outside the Command Prompt (in "RUN", for example), you get the result this way.

Open the Command Prompt and run the commands again, you will be able to see where the connections are generated from.
0
 

Author Comment

by:am5240
ID: 34174097
Yes, Thanks for the reminder.
 
At his point I see 6 authorized users established, and one listner 0.0.0:3389 " Listening".

When the probelm recurs I will run the cmd and see if it reveals further info on the Phantoms.
thank you
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Integration Management Part 2
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question