Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do i stop phantom ts users connecting via rdp on server 2003?

Posted on 2010-11-18
7
857 Views
Last Modified: 2013-11-21
My terminal server seems to be creating phantom users logged in via rdp.
This causes my system to slow, stop responding to my valid client users.
The phantom users have no client name, no ip address,
I believe the server is creating these phantoms, because any client logged in thru rdp, i can verify their computer name, their ip address and the services they are running.

I have been working with Microsoft support for over a month and try cannot figure out the problem.
0
Comment
Question by:am5240
  • 3
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
thiagotietze earned 334 total points
ID: 34170292
What shows when you run netstat -na | find "3389" ???

It should list a number of connections (lines in the command) at the 3389 port... And it should show you where this connections are comming from...

If you run netstat -nab | find "3389", it would show you what is the process or service that is resonsible about the 3389 connections, but I think this will not be very important, since it will show you the Remote Desktop service.....

With this, I think we can start some more troubleshooting... Maybe discover from waht IP or service is comming from?

If it is from the 0.0.0.0 address (itself, or loopback) maybe a rule in the windows firewall, or something like that should "partially fix" the issue...
0
 
LVL 17

Assisted Solution

by:sgsm81
sgsm81 earned 166 total points
ID: 34171683
If you use this - http://www.2x.com/securerdp/download.html you can restrict by IP.

Registration is free, i've used it in the past
0
 
LVL 6

Assisted Solution

by:thiagotietze
thiagotietze earned 334 total points
ID: 34172114
sgsm81:

The point is:
How the guy will restrict an IP that he doesn't know what is?

You can restric connections and IPs by the Windows Firewall rules, but at least you need to know the basic information.

My choice is that, if this guy have a Monitoring tool, or other "weird" service running on the internal network, it is trying to create sessions in RDP.

And, remember, at least as per I know, you cannot create a RDP connection without authentication, so... Maybe a security breach running? Yeah, needs troubleshoot.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:am5240
ID: 34173813
I am licensed for 10 users. I can see each valid user session by IP, by Client name,and processes the user is running.
The Phantom connections can reach as many as 15  and have no IP address, no client id name and the only processes running under those connections are winlogon.exe and csrss.exe.

When I try to disconnect the phantom session, the system stalls out, then returns an error "unable to disconnect"

I have attached a screen shot of the desktop which shows the valid users and the "phantom" users.

The problem is only fixed by restarting the server, and it occurs one to two times a weeek.

My server has been operating two years, and this issue started about 6 months ago. At First rarly, now it is a weekly occurance.

What I see in TS Manager is 10 to 15 phantom sessions, and when I look at their properties, I find no client name or originating IP address, so it seems the TS is creating these connections. MY Router is not detecting these connections or loggin them as connections.

When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it.

thanks for the help. This is a retail POS TS and RDP is the method of connecting for our branch locations. Even if I VPN or provide IP validation to my branch users, how will the restrict by IP stop this system generated connections. ? Screenshot of Phantom rdp connections
0
 

Author Closing Comment

by:am5240
ID: 34173886
Unable to determin a solution to the problem based on the info provided.
0
 
LVL 6

Expert Comment

by:thiagotietze
ID: 34173958
"When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it."

Yes, when you run a Command Prompt command, outside the Command Prompt (in "RUN", for example), you get the result this way.

Open the Command Prompt and run the commands again, you will be able to see where the connections are generated from.
0
 

Author Comment

by:am5240
ID: 34174097
Yes, Thanks for the reminder.
 
At his point I see 6 authorized users established, and one listner 0.0.0:3389 " Listening".

When the probelm recurs I will run the cmd and see if it reveals further info on the Phantoms.
thank you
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question