Windows Event 56 TermDD. Am I getting hacked?

Posted on 2016-09-01
Medium Priority
Last Modified: 2016-09-01
I have a Windows 7 Pro workstation within a domain that is getting a Windows Event 56 TermDD.
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client (IP address).
I just noticed this and I am seeing at least 8 different public IP addresses listed. Am I getting hacked? Remote Desktop is turned on for this machine but port forwarding is not set up for this machine in the firewall.
Is this a false alarm?
Question by:TcAnthony
  • 2
  • 2

Accepted Solution

bas2754 earned 2000 total points
ID: 41780723
No, this is not a false alarm.  If you are getting that event in your system from multiple different external IP addresses, then it is a strong probability somehow someone is trying to access your system.

Are you certain your firewall has not been compromised?  You can also turn on your computer's firewall and ensure that you disabled the RDP port in (3389) and ensure that it is not possible to connect to it.  I can't tell you how it is occurring without knowing more about your setup, but if you have an older firewall and you have older firmware on it and have not updated it, or perhaps still have defaults set for usernames and passwords or have one of the many with known vulnerabilities in it, then someone may have compromised it.

How often is this occurring?  I see that this is in a domain.  Is it possible the domain controller is a SBS 2011 or SBS 2008 server that might have Remote Web Workplace setup (acts as a gateway to allow valid users to access their computers using a web login)?  If someone has gotten hold of valid credentials then they may be attempting to RDP via that interface to your system.  

Are other computers getting these errors as well?  If you are not the IT admin, I would advise whoever is that there is a possible issue.  

Bottom line is that until you can explain it, you need to treat it as a threat.  If you want more assistance, post more information and we can help.

Author Comment

ID: 41780729
Yes, this is SBS2011. Nothing is still at default but it looks like I have some work to do. Thanks so much for your quick response. I will tack it down immediately. I very much appreciate your immediate answer!!

Author Closing Comment

ID: 41780732
Expert was amazingly quick and correct. I love Experts-Exchange for this very reason. I cannot do business without them!!

Expert Comment

ID: 41780741
You can go into the SBS Console and disable the Remote Access for each of your systems.  In your company firewall (unless the SBS server is acting as the firewall - hopefully not), you need to block access to the the RDP Port (probably forwarding to that server).

The following will also guide you through disabling RWW:

In all honesty if this is occurring you need to be ready to deal with a possibly breached server and implement whatever Disaster Response / Incident Response Plans you have in place.  In all systems, including the server, you will want to export and save the event logs.  Full Malware and Virus scans need to be done on each system - particularly the server.  Additionally check the security logs on the server if that is how it is occurring and see if you can match up logins to the times on your computer.  RWW does keep a log of users I believe so you can track down the offending one.  Change all passwords immediately, and if possible kill all inbound ports to your server (this WILL impact email, VPN, etc if your server is hosting those services to outside users).

If you are an organization that handles any kind of sensitive customer data (Credit Cards, Emails, Files, Medical Records, Etc...) be ready to potentially have to file a report.  If you have coverage from your insurance company covering Data Breaches, you may want to consider contacting your insurance representative.  Many times they have resources ready to step in and guide the process.  You might also want to consider doing a full image based backup of your server for potential post-incident forensic analysis.

I know it seems overboard, but it is better to be quick on the trigger to stop things than to shrug it off and regret it later.  

Let us know if we can help further.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In this article, we’ll look at how to deploy ProxySQL.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question