TermDD Event 56 unknown IP

Hi Experts, I see the occasional event being logged Event 56 TermDD

"The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP:"

A few things, this is one IP address, there are 9 of these since the beginning of July, all different but IP addresses that are not part of our network.

Here is another example :

This is an SBS2011 server. Terminal Server is not loaded as a feature (or role, I can't remember which, but it's not loaded)

I can block these on my firewall, but its somewhat like playing whack-a-mole since the IP's are all different.

Does anyone have any suggestions on tracking down what this is and recommendations on how to block it? Is there a service that can be turned off on the server for example to block this, or a firewall rule?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bryant SchaperCommented:
If they external try blocking access to the port, unless it has Internet access for some reason. In that case use VPN?  Terminal always runs the role just sets up non admin access
David AtkinTechnical DirectorCommented:
RDP will be enabled on your SBS by default.  If you want this to go away then the easiest thing to do would be to block port 3389 on your Firewall/Router.

If you want to keep RDP access to the server but stop this problem then use RDP on a different port.  I.e. block port 3389 on the router but port redirect 48715 to 3389.

The above port number is just something random.  Some other high numbered port should be fine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChiITAuthor Commented:
you are right RDP is enabled. thanks both, are these just random scans to port 3389? there is no port info in that event log entry..
David AtkinTechnical DirectorCommented:
Yes that's correct. I imagine that some little script kiddy is running a scan of your ISPs IP or something and checking the ports.

Using another port for RDP is your best option really.
ChiITAuthor Commented:
I actually don't need RDP remotely, so I think I'll just block it on my firewall. thanks I'll close this out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.