Solved

Open Session in Remote Desktop is continuously staying connected, even after closing session

Posted on 2013-06-12
4
994 Views
Last Modified: 2013-06-12
We have a 2003 server running terminal services, not heavily used, mostly one or two connections/sessions on a regular basis.  One internal machine that has no need to be accessing the terminal server (and doesn't connect to it intentionally) shows a constant, continuous session ope with the terminal server.  It doesn't show up in the Terminal Services Manager tool where it shows a remote user or a user on the console; it shows up in Computer Management under Shared Folders/Sessions (usually where you'll go to see who's in what file/folder on a server).  It shows '0' open files under # Open Files, but when we right-click on the session and select "Close Session", it gets deleted and then pops right back up upon refresh, showing the local user as the account being used to make the connection.  I've gone to the machine reporting the connection, and nothing is running on that machine that would need the remote desktop connection.  We've gone to that machine and checked the services to try to turn off anything that would open that connection but really can't find anything...It's not apparent that this constant connection is causing any problems, but we're concerned that it never closes and would like to shut it off.  Any ideas?  It's a little difficult to search for a solution because of the vagueness of the problem, so any information would be appreciated!  Thanks!
0
Comment
Question by:mdcr1
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39241841
0
 

Author Comment

by:mdcr1
ID: 39241897
I think the issue is that it is not showing up as a remote session through Terminal Server Manager; it is just an open session to the server.  Plus, I've set timeouts for disconnected sessions to 1 minute just to see if that session will get dropped but it still shows "Connected Time" of more than a minute (even went in and closed the session manually so if it only applied to new connections/sessions, it would apply). The group policy seems to only affect users who use remote desktop sessions, and this connection seems like it's independent of the terminal server/service.  There is a share listed on the server that is titled "IPC$" with one (1) Client Connection showing, which makes it seem like a null session exploit, but I've scanned that client machine with Malwarebytes/Barracuda Anti-Spyware tool, but it didn't find anything...
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39241923
Sometimes network information services will open up all available shares (or at least all ipc$ ones) they can get knowledge of.
If you really want to know what is causing that, run ProcMon from www.sysinternals.com on the "offending" machine, set up a filter like "Path", "starts with", "\\TerminalServerName". Make sure the magnifying glass icon has no red cross, so data is collected, and "Drop Filtered Events" in "Filter" menu is checked (important if you want to monitor for a longer period).

You should see the process, time and some more details of access now.
0
 

Author Comment

by:mdcr1
ID: 39242339
ProcMon is showing nothing but constant access to \\servername\pipe\spoolss with operations consisting of CreateFile, ReadFile, WriteFile, and FileSystemControl.  The results of those operations are either SUCCESS or BUFFER OVERFLOW....okay, so it looks like that was connecting to a printer on that server, even though it wasn't using it for anything (connecting to a PDF converter printer), checked printers, deleted that one, and session is gone!  Well that ProcMon worked alright, thanks Qlemo!
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now