?
Solved

SBS 2003 shutsdown or disconnects users

Posted on 2014-03-03
11
Medium Priority
?
405 Views
Last Modified: 2014-03-09
I have a small business server 2003 that disconnects everybody from the server about every other day.  In the system event log I am not seeing any errors but I am seeing at least 3 terminal service session login attempts every minute.  The termservice event ID is 1012 "Remote session from client name exceeded maximum allowed login attempts.  The session was forcibly terminated"  I am guessing that with multiple failed login attempts the server is blocking all logins.  I looked up the ID 1012 and it says that it is normal.  I have never seen it before so it doesnt look very normal to me.
0
Comment
Question by:captjcret
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39901177
Are your users logging off completely or just disconnecting?
0
 
LVL 10

Assisted Solution

by:Korbus
Korbus earned 501 total points
ID: 39901188
I suggest you try to narrow down the cause of those failed logon attempts.  We had hackers (bots actually) trying to get into our system via terminal services.  Windows terminal server does NOT have the ability to detect attacks, other than having a max number of login attempts (which doesn't help much as they can just try again.)
We ended up changing the port at which users connected to terminal server.  This forced any hacker to do a "port scan" to try and find our terminal services (which our firewall could catch and then block that source IP.)

All that being said, I'm afraid I don't see how this would force all users to be disconnected.  Especially odd that such an event does not generate a log entry.

Are you certain that you have the maximum number of sessions, in terminal services configured to be greater than the number of concurrent terminal server users?
0
 
LVL 8

Assisted Solution

by:Esteban Blanco
Esteban Blanco earned 498 total points
ID: 39901227
That's what I am thinking Korbus.  If users are just disconnecting and not logging off, that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

If hackers are attacking, then he could secure it with SSL.
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
LVL 10

Expert Comment

by:Korbus
ID: 39901267
>>that leaves their connection open unless you set the limits in the RDP-Tcp settings under the RD Session Host Configuration.  

An excellent point Esteban.  I feel like I remember a setting (and cannot confirm right now), that limits each TS user to a SINGLE connection.  Am  correct when I say: this setting would force users to reconnect to a disconnected session, rather than create a new one?

Securing it with SSL:  I have never done that,  does that actually prevent logon attempts somehow, or just encrypt the data for transmission?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 501 total points
ID: 39901372
There is a worm that was strong a couple of years ago which would attack servers which used port 3389 for RDP and had very easy passwords configured.  (See:  https://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx)

If this is active on your server you need to immediately close port 3389 and then run the Microsoft Safety Scanner.

Since SBS doesn't operate as a Terminal Server (RDP is only for administrative purposes) a flood of traffic and requests could cause it to have problems, especially since your server is over 10 years old as well.  This also means that the suggestions above are not applicable.


Jeff
0
 

Author Comment

by:captjcret
ID: 39907317
I have to apologize.  I have been going by what my client tells me.  They are not disconnecting from the server it is the exchange server that is dismounting.  I finally got somebody to give me the right details to the problem.  They can still access data on the drive they are losing Exchange.  The problem was simple to fix.  The exchange server was dismounting the databases because they exceeded 18 gigabytes in size.  I went and modified the registry and increased the size limit from 18 to 40 gigabytes.  That should take care of it.
0
 

Author Closing Comment

by:captjcret
ID: 39907324
Once again, I apologize for not getting better details from my customer.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39907523
I personally don't mind at all, but FYI:  some experts' ratings may be negatively affected by giving a grade below an "A".

I'm honestly no expert on what the "proper protocol" is, but I think in this case it would be to request to delete the question.  
I wouldn't worry about it, but now you know for next time.
0
 

Author Comment

by:captjcret
ID: 39907671
Thanks, I will do so in the future.
0
 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39907687
I have to agree with Korbus on this one.  It is better to delete and just give an A to the accepted solution.  This also helps people looking for answers so there is not confusion as of what they need to do to get something resolved.  Jeff can have my points or whomever.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 39916419
I'm in agreement as well --

@captjcret -- please click the "Request Attention" link just below your initial question and ask a moderator to delete this question.

Thanks.

Jeff
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
Let us take a look at the scenario, you have a database that is corrupt and you run the ESEUTIL command only to find you are unable to repair it. How do you now get the data back?
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question