Solved

SBS 2003 shutsdown or disconnects users

Posted on 2014-03-03
11
397 Views
Last Modified: 2014-03-09
I have a small business server 2003 that disconnects everybody from the server about every other day.  In the system event log I am not seeing any errors but I am seeing at least 3 terminal service session login attempts every minute.  The termservice event ID is 1012 "Remote session from client name exceeded maximum allowed login attempts.  The session was forcibly terminated"  I am guessing that with multiple failed login attempts the server is blocking all logins.  I looked up the ID 1012 and it says that it is normal.  I have never seen it before so it doesnt look very normal to me.
0
Comment
Question by:captjcret
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39901177
Are your users logging off completely or just disconnecting?
0
 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 167 total points
ID: 39901188
I suggest you try to narrow down the cause of those failed logon attempts.  We had hackers (bots actually) trying to get into our system via terminal services.  Windows terminal server does NOT have the ability to detect attacks, other than having a max number of login attempts (which doesn't help much as they can just try again.)
We ended up changing the port at which users connected to terminal server.  This forced any hacker to do a "port scan" to try and find our terminal services (which our firewall could catch and then block that source IP.)

All that being said, I'm afraid I don't see how this would force all users to be disconnected.  Especially odd that such an event does not generate a log entry.

Are you certain that you have the maximum number of sessions, in terminal services configured to be greater than the number of concurrent terminal server users?
0
 
LVL 8

Assisted Solution

by:Esteban Blanco
Esteban Blanco earned 166 total points
ID: 39901227
That's what I am thinking Korbus.  If users are just disconnecting and not logging off, that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

If hackers are attacking, then he could secure it with SSL.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39901267
>>that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

An excellent point Esteban.  I feel like I remember a setting (and cannot confirm right now), that limits each TS user to a SINGLE connection.  Am  correct when I say: this setting would force users to reconnect to a disconnected session, rather than create a new one?

Securing it with SSL:  I have never done that,  does that actually prevent logon attempts somehow, or just encrypt the data for transmission?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 167 total points
ID: 39901372
There is a worm that was strong a couple of years ago which would attack servers which used port 3389 for RDP and had very easy passwords configured.  (See:  https://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx)

If this is active on your server you need to immediately close port 3389 and then run the Microsoft Safety Scanner.

Since SBS doesn't operate as a Terminal Server (RDP is only for administrative purposes) a flood of traffic and requests could cause it to have problems, especially since your server is over 10 years old as well.  This also means that the suggestions above are not applicable.


Jeff
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:captjcret
ID: 39907317
I have to apologize.  I have been going by what my client tells me.  They are not disconnecting from the server it is the exchange server that is dismounting.  I finally got somebody to give me the right details to the problem.  They can still access data on the drive they are losing Exchange.  The problem was simple to fix.  The exchange server was dismounting the databases because they exceeded 18 gigabytes in size.  I went and modified the registry and increased the size limit from 18 to 40 gigabytes.  That should take care of it.
0
 

Author Closing Comment

by:captjcret
ID: 39907324
Once again, I apologize for not getting better details from my customer.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39907523
I personally don't mind at all, but FYI:  some experts' ratings may be negatively affected by giving a grade below an "A".

I'm honestly no expert on what the "proper protocol" is, but I think in this case it would be to request to delete the question.  
I wouldn't worry about it, but now you know for next time.
0
 

Author Comment

by:captjcret
ID: 39907671
Thanks, I will do so in the future.
0
 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39907687
I have to agree with Korbus on this one.  It is better to delete and just give an A to the accepted solution.  This also helps people looking for answers so there is not confusion as of what they need to do to get something resolved.  Jeff can have my points or whomever.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 39916419
I'm in agreement as well --

@captjcret -- please click the "Request Attention" link just below your initial question and ask a moderator to delete this question.

Thanks.

Jeff
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now