Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 404
  • Last Modified:

SBS 2003 shutsdown or disconnects users

I have a small business server 2003 that disconnects everybody from the server about every other day.  In the system event log I am not seeing any errors but I am seeing at least 3 terminal service session login attempts every minute.  The termservice event ID is 1012 "Remote session from client name exceeded maximum allowed login attempts.  The session was forcibly terminated"  I am guessing that with multiple failed login attempts the server is blocking all logins.  I looked up the ID 1012 and it says that it is normal.  I have never seen it before so it doesnt look very normal to me.
0
captjcret
Asked:
captjcret
  • 3
  • 3
  • 3
  • +1
3 Solutions
 
Esteban BlancoCommented:
Are your users logging off completely or just disconnecting?
0
 
KorbusCommented:
I suggest you try to narrow down the cause of those failed logon attempts.  We had hackers (bots actually) trying to get into our system via terminal services.  Windows terminal server does NOT have the ability to detect attacks, other than having a max number of login attempts (which doesn't help much as they can just try again.)
We ended up changing the port at which users connected to terminal server.  This forced any hacker to do a "port scan" to try and find our terminal services (which our firewall could catch and then block that source IP.)

All that being said, I'm afraid I don't see how this would force all users to be disconnected.  Especially odd that such an event does not generate a log entry.

Are you certain that you have the maximum number of sessions, in terminal services configured to be greater than the number of concurrent terminal server users?
0
 
Esteban BlancoCommented:
That's what I am thinking Korbus.  If users are just disconnecting and not logging off, that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

If hackers are attacking, then he could secure it with SSL.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
KorbusCommented:
>>that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

An excellent point Esteban.  I feel like I remember a setting (and cannot confirm right now), that limits each TS user to a SINGLE connection.  Am  correct when I say: this setting would force users to reconnect to a disconnected session, rather than create a new one?

Securing it with SSL:  I have never done that,  does that actually prevent logon attempts somehow, or just encrypt the data for transmission?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
There is a worm that was strong a couple of years ago which would attack servers which used port 3389 for RDP and had very easy passwords configured.  (See:  https://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx)

If this is active on your server you need to immediately close port 3389 and then run the Microsoft Safety Scanner.

Since SBS doesn't operate as a Terminal Server (RDP is only for administrative purposes) a flood of traffic and requests could cause it to have problems, especially since your server is over 10 years old as well.  This also means that the suggestions above are not applicable.


Jeff
0
 
captjcretAuthor Commented:
I have to apologize.  I have been going by what my client tells me.  They are not disconnecting from the server it is the exchange server that is dismounting.  I finally got somebody to give me the right details to the problem.  They can still access data on the drive they are losing Exchange.  The problem was simple to fix.  The exchange server was dismounting the databases because they exceeded 18 gigabytes in size.  I went and modified the registry and increased the size limit from 18 to 40 gigabytes.  That should take care of it.
0
 
captjcretAuthor Commented:
Once again, I apologize for not getting better details from my customer.
0
 
KorbusCommented:
I personally don't mind at all, but FYI:  some experts' ratings may be negatively affected by giving a grade below an "A".

I'm honestly no expert on what the "proper protocol" is, but I think in this case it would be to request to delete the question.  
I wouldn't worry about it, but now you know for next time.
0
 
captjcretAuthor Commented:
Thanks, I will do so in the future.
0
 
Esteban BlancoCommented:
I have to agree with Korbus on this one.  It is better to delete and just give an A to the accepted solution.  This also helps people looking for answers so there is not confusion as of what they need to do to get something resolved.  Jeff can have my points or whomever.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I'm in agreement as well --

@captjcret -- please click the "Request Attention" link just below your initial question and ask a moderator to delete this question.

Thanks.

Jeff
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now