Solved

How do i stop phantom ts users connecting via rdp on server 2003?

Posted on 2010-11-18
7
860 Views
Last Modified: 2013-11-21
My terminal server seems to be creating phantom users logged in via rdp.
This causes my system to slow, stop responding to my valid client users.
The phantom users have no client name, no ip address,
I believe the server is creating these phantoms, because any client logged in thru rdp, i can verify their computer name, their ip address and the services they are running.

I have been working with Microsoft support for over a month and try cannot figure out the problem.
0
Comment
Question by:am5240
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
thiagotietze earned 334 total points
ID: 34170292
What shows when you run netstat -na | find "3389" ???

It should list a number of connections (lines in the command) at the 3389 port... And it should show you where this connections are comming from...

If you run netstat -nab | find "3389", it would show you what is the process or service that is resonsible about the 3389 connections, but I think this will not be very important, since it will show you the Remote Desktop service.....

With this, I think we can start some more troubleshooting... Maybe discover from waht IP or service is comming from?

If it is from the 0.0.0.0 address (itself, or loopback) maybe a rule in the windows firewall, or something like that should "partially fix" the issue...
0
 
LVL 17

Assisted Solution

by:sgsm81
sgsm81 earned 166 total points
ID: 34171683
If you use this - http://www.2x.com/securerdp/download.html you can restrict by IP.

Registration is free, i've used it in the past
0
 
LVL 6

Assisted Solution

by:thiagotietze
thiagotietze earned 334 total points
ID: 34172114
sgsm81:

The point is:
How the guy will restrict an IP that he doesn't know what is?

You can restric connections and IPs by the Windows Firewall rules, but at least you need to know the basic information.

My choice is that, if this guy have a Monitoring tool, or other "weird" service running on the internal network, it is trying to create sessions in RDP.

And, remember, at least as per I know, you cannot create a RDP connection without authentication, so... Maybe a security breach running? Yeah, needs troubleshoot.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:am5240
ID: 34173813
I am licensed for 10 users. I can see each valid user session by IP, by Client name,and processes the user is running.
The Phantom connections can reach as many as 15  and have no IP address, no client id name and the only processes running under those connections are winlogon.exe and csrss.exe.

When I try to disconnect the phantom session, the system stalls out, then returns an error "unable to disconnect"

I have attached a screen shot of the desktop which shows the valid users and the "phantom" users.

The problem is only fixed by restarting the server, and it occurs one to two times a weeek.

My server has been operating two years, and this issue started about 6 months ago. At First rarly, now it is a weekly occurance.

What I see in TS Manager is 10 to 15 phantom sessions, and when I look at their properties, I find no client name or originating IP address, so it seems the TS is creating these connections. MY Router is not detecting these connections or loggin them as connections.

When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it.

thanks for the help. This is a retail POS TS and RDP is the method of connecting for our branch locations. Even if I VPN or provide IP validation to my branch users, how will the restrict by IP stop this system generated connections. ? Screenshot of Phantom rdp connections
0
 

Author Closing Comment

by:am5240
ID: 34173886
Unable to determin a solution to the problem based on the info provided.
0
 
LVL 6

Expert Comment

by:thiagotietze
ID: 34173958
"When I run the command netstat -nab | find "3389", I get a quick flash on the screen of the execution. but too fast for me to read it."

Yes, when you run a Command Prompt command, outside the Command Prompt (in "RUN", for example), you get the result this way.

Open the Command Prompt and run the commands again, you will be able to see where the connections are generated from.
0
 

Author Comment

by:am5240
ID: 34174097
Yes, Thanks for the reminder.
 
At his point I see 6 authorized users established, and one listner 0.0.0:3389 " Listening".

When the probelm recurs I will run the cmd and see if it reveals further info on the Phantoms.
thank you
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question