ChiIT
asked on
TermDD Event 56 unknown IP
Hi Experts, I see the occasional event being logged Event 56 TermDD
"The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 46.166.186.234."
A few things, this is one IP address, there are 9 of these since the beginning of July, all different but IP addresses that are not part of our network.
Here is another example : 85.159.237.4
This is an SBS2011 server. Terminal Server is not loaded as a feature (or role, I can't remember which, but it's not loaded)
I can block these on my firewall, but its somewhat like playing whack-a-mole since the IP's are all different.
Does anyone have any suggestions on tracking down what this is and recommendations on how to block it? Is there a service that can be turned off on the server for example to block this, or a firewall rule?
"The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 46.166.186.234."
A few things, this is one IP address, there are 9 of these since the beginning of July, all different but IP addresses that are not part of our network.
Here is another example : 85.159.237.4
This is an SBS2011 server. Terminal Server is not loaded as a feature (or role, I can't remember which, but it's not loaded)
I can block these on my firewall, but its somewhat like playing whack-a-mole since the IP's are all different.
Does anyone have any suggestions on tracking down what this is and recommendations on how to block it? Is there a service that can be turned off on the server for example to block this, or a firewall rule?
If they external try blocking access to the port, unless it has Internet access for some reason. In that case use VPN? Terminal always runs the role just sets up non admin access
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
you are right RDP is enabled. thanks both, are these just random scans to port 3389? there is no port info in that event log entry..
Yes that's correct. I imagine that some little script kiddy is running a scan of your ISPs IP or something and checking the ports.
Using another port for RDP is your best option really.
Using another port for RDP is your best option really.
ASKER
I actually don't need RDP remotely, so I think I'll just block it on my firewall. thanks I'll close this out.