SBS 2003 shutsdown or disconnects users

captjcret
captjcret used Ask the Experts™
on
I have a small business server 2003 that disconnects everybody from the server about every other day.  In the system event log I am not seeing any errors but I am seeing at least 3 terminal service session login attempts every minute.  The termservice event ID is 1012 "Remote session from client name exceeded maximum allowed login attempts.  The session was forcibly terminated"  I am guessing that with multiple failed login attempts the server is blocking all logins.  I looked up the ID 1012 and it says that it is normal.  I have never seen it before so it doesnt look very normal to me.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Esteban BlancoPresident

Commented:
Are your users logging off completely or just disconnecting?
Commented:
I suggest you try to narrow down the cause of those failed logon attempts.  We had hackers (bots actually) trying to get into our system via terminal services.  Windows terminal server does NOT have the ability to detect attacks, other than having a max number of login attempts (which doesn't help much as they can just try again.)
We ended up changing the port at which users connected to terminal server.  This forced any hacker to do a "port scan" to try and find our terminal services (which our firewall could catch and then block that source IP.)

All that being said, I'm afraid I don't see how this would force all users to be disconnected.  Especially odd that such an event does not generate a log entry.

Are you certain that you have the maximum number of sessions, in terminal services configured to be greater than the number of concurrent terminal server users?
Esteban BlancoPresident
Commented:
That's what I am thinking Korbus.  If users are just disconnecting and not logging off, that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

If hackers are attacking, then he could secure it with SSL.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Commented:
>>that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

An excellent point Esteban.  I feel like I remember a setting (and cannot confirm right now), that limits each TS user to a SINGLE connection.  Am  correct when I say: this setting would force users to reconnect to a disconnected session, rather than create a new one?

Securing it with SSL:  I have never done that,  does that actually prevent logon attempts somehow, or just encrypt the data for transmission?
Principal Consultant
Most Valuable Expert 2016
Top Expert 2014
Commented:
There is a worm that was strong a couple of years ago which would attack servers which used port 3389 for RDP and had very easy passwords configured.  (See:  https://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx)

If this is active on your server you need to immediately close port 3389 and then run the Microsoft Safety Scanner.

Since SBS doesn't operate as a Terminal Server (RDP is only for administrative purposes) a flood of traffic and requests could cause it to have problems, especially since your server is over 10 years old as well.  This also means that the suggestions above are not applicable.


Jeff

Author

Commented:
I have to apologize.  I have been going by what my client tells me.  They are not disconnecting from the server it is the exchange server that is dismounting.  I finally got somebody to give me the right details to the problem.  They can still access data on the drive they are losing Exchange.  The problem was simple to fix.  The exchange server was dismounting the databases because they exceeded 18 gigabytes in size.  I went and modified the registry and increased the size limit from 18 to 40 gigabytes.  That should take care of it.

Author

Commented:
Once again, I apologize for not getting better details from my customer.

Commented:
I personally don't mind at all, but FYI:  some experts' ratings may be negatively affected by giving a grade below an "A".

I'm honestly no expert on what the "proper protocol" is, but I think in this case it would be to request to delete the question.  
I wouldn't worry about it, but now you know for next time.

Author

Commented:
Thanks, I will do so in the future.
Esteban BlancoPresident

Commented:
I have to agree with Korbus on this one.  It is better to delete and just give an A to the accepted solution.  This also helps people looking for answers so there is not confusion as of what they need to do to get something resolved.  Jeff can have my points or whomever.
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
I'm in agreement as well --

@captjcret -- please click the "Request Attention" link just below your initial question and ask a moderator to delete this question.

Thanks.

Jeff

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial