Solved

SBS 2003 shutsdown or disconnects users

Posted on 2014-03-03
11
402 Views
Last Modified: 2014-03-09
I have a small business server 2003 that disconnects everybody from the server about every other day.  In the system event log I am not seeing any errors but I am seeing at least 3 terminal service session login attempts every minute.  The termservice event ID is 1012 "Remote session from client name exceeded maximum allowed login attempts.  The session was forcibly terminated"  I am guessing that with multiple failed login attempts the server is blocking all logins.  I looked up the ID 1012 and it says that it is normal.  I have never seen it before so it doesnt look very normal to me.
0
Comment
Question by:captjcret
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39901177
Are your users logging off completely or just disconnecting?
0
 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 167 total points
ID: 39901188
I suggest you try to narrow down the cause of those failed logon attempts.  We had hackers (bots actually) trying to get into our system via terminal services.  Windows terminal server does NOT have the ability to detect attacks, other than having a max number of login attempts (which doesn't help much as they can just try again.)
We ended up changing the port at which users connected to terminal server.  This forced any hacker to do a "port scan" to try and find our terminal services (which our firewall could catch and then block that source IP.)

All that being said, I'm afraid I don't see how this would force all users to be disconnected.  Especially odd that such an event does not generate a log entry.

Are you certain that you have the maximum number of sessions, in terminal services configured to be greater than the number of concurrent terminal server users?
0
 
LVL 8

Assisted Solution

by:Esteban Blanco
Esteban Blanco earned 166 total points
ID: 39901227
That's what I am thinking Korbus.  If users are just disconnecting and not logging off, that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

If hackers are attacking, then he could secure it with SSL.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 10

Expert Comment

by:Korbus
ID: 39901267
>>that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

An excellent point Esteban.  I feel like I remember a setting (and cannot confirm right now), that limits each TS user to a SINGLE connection.  Am  correct when I say: this setting would force users to reconnect to a disconnected session, rather than create a new one?

Securing it with SSL:  I have never done that,  does that actually prevent logon attempts somehow, or just encrypt the data for transmission?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 167 total points
ID: 39901372
There is a worm that was strong a couple of years ago which would attack servers which used port 3389 for RDP and had very easy passwords configured.  (See:  https://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx)

If this is active on your server you need to immediately close port 3389 and then run the Microsoft Safety Scanner.

Since SBS doesn't operate as a Terminal Server (RDP is only for administrative purposes) a flood of traffic and requests could cause it to have problems, especially since your server is over 10 years old as well.  This also means that the suggestions above are not applicable.


Jeff
0
 

Author Comment

by:captjcret
ID: 39907317
I have to apologize.  I have been going by what my client tells me.  They are not disconnecting from the server it is the exchange server that is dismounting.  I finally got somebody to give me the right details to the problem.  They can still access data on the drive they are losing Exchange.  The problem was simple to fix.  The exchange server was dismounting the databases because they exceeded 18 gigabytes in size.  I went and modified the registry and increased the size limit from 18 to 40 gigabytes.  That should take care of it.
0
 

Author Closing Comment

by:captjcret
ID: 39907324
Once again, I apologize for not getting better details from my customer.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39907523
I personally don't mind at all, but FYI:  some experts' ratings may be negatively affected by giving a grade below an "A".

I'm honestly no expert on what the "proper protocol" is, but I think in this case it would be to request to delete the question.  
I wouldn't worry about it, but now you know for next time.
0
 

Author Comment

by:captjcret
ID: 39907671
Thanks, I will do so in the future.
0
 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39907687
I have to agree with Korbus on this one.  It is better to delete and just give an A to the accepted solution.  This also helps people looking for answers so there is not confusion as of what they need to do to get something resolved.  Jeff can have my points or whomever.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 39916419
I'm in agreement as well --

@captjcret -- please click the "Request Attention" link just below your initial question and ask a moderator to delete this question.

Thanks.

Jeff
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question