Solved

Open Session in Remote Desktop is continuously staying connected, even after closing session

Posted on 2013-06-12
4
992 Views
Last Modified: 2013-06-12
We have a 2003 server running terminal services, not heavily used, mostly one or two connections/sessions on a regular basis.  One internal machine that has no need to be accessing the terminal server (and doesn't connect to it intentionally) shows a constant, continuous session ope with the terminal server.  It doesn't show up in the Terminal Services Manager tool where it shows a remote user or a user on the console; it shows up in Computer Management under Shared Folders/Sessions (usually where you'll go to see who's in what file/folder on a server).  It shows '0' open files under # Open Files, but when we right-click on the session and select "Close Session", it gets deleted and then pops right back up upon refresh, showing the local user as the account being used to make the connection.  I've gone to the machine reporting the connection, and nothing is running on that machine that would need the remote desktop connection.  We've gone to that machine and checked the services to try to turn off anything that would open that connection but really can't find anything...It's not apparent that this constant connection is causing any problems, but we're concerned that it never closes and would like to shut it off.  Any ideas?  It's a little difficult to search for a solution because of the vagueness of the problem, so any information would be appreciated!  Thanks!
0
Comment
Question by:mdcr1
  • 2
4 Comments
 
LVL 21

Expert Comment

by:Haresh Nikumbh
ID: 39241841
0
 

Author Comment

by:mdcr1
ID: 39241897
I think the issue is that it is not showing up as a remote session through Terminal Server Manager; it is just an open session to the server.  Plus, I've set timeouts for disconnected sessions to 1 minute just to see if that session will get dropped but it still shows "Connected Time" of more than a minute (even went in and closed the session manually so if it only applied to new connections/sessions, it would apply). The group policy seems to only affect users who use remote desktop sessions, and this connection seems like it's independent of the terminal server/service.  There is a share listed on the server that is titled "IPC$" with one (1) Client Connection showing, which makes it seem like a null session exploit, but I've scanned that client machine with Malwarebytes/Barracuda Anti-Spyware tool, but it didn't find anything...
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39241923
Sometimes network information services will open up all available shares (or at least all ipc$ ones) they can get knowledge of.
If you really want to know what is causing that, run ProcMon from www.sysinternals.com on the "offending" machine, set up a filter like "Path", "starts with", "\\TerminalServerName". Make sure the magnifying glass icon has no red cross, so data is collected, and "Drop Filtered Events" in "Filter" menu is checked (important if you want to monitor for a longer period).

You should see the process, time and some more details of access now.
0
 

Author Comment

by:mdcr1
ID: 39242339
ProcMon is showing nothing but constant access to \\servername\pipe\spoolss with operations consisting of CreateFile, ReadFile, WriteFile, and FileSystemControl.  The results of those operations are either SUCCESS or BUFFER OVERFLOW....okay, so it looks like that was connecting to a printer on that server, even though it wasn't using it for anything (connecting to a PDF converter printer), checked printers, deleted that one, and session is gone!  Well that ProcMon worked alright, thanks Qlemo!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LAN or WAN ? 11 63
Monitor bandwidth 3 42
Nortel Baystack 5510-48T Web GUI problems 27 44
Connecting two servers 30 47
Let’s list some of the technologies that enable smooth teleworking. 
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now