Solved

Windows Event 56 TermDD. Am I getting hacked?

Posted on 2016-09-01
4
72 Views
Last Modified: 2016-09-01
I have a Windows 7 Pro workstation within a domain that is getting a Windows Event 56 TermDD.
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client (IP address).
I just noticed this and I am seeing at least 8 different public IP addresses listed. Am I getting hacked? Remote Desktop is turned on for this machine but port forwarding is not set up for this machine in the firewall.
Is this a false alarm?
0
Comment
Question by:TcAnthony
  • 2
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
bas2754 earned 500 total points
Comment Utility
No, this is not a false alarm.  If you are getting that event in your system from multiple different external IP addresses, then it is a strong probability somehow someone is trying to access your system.

Are you certain your firewall has not been compromised?  You can also turn on your computer's firewall and ensure that you disabled the RDP port in (3389) and ensure that it is not possible to connect to it.  I can't tell you how it is occurring without knowing more about your setup, but if you have an older firewall and you have older firmware on it and have not updated it, or perhaps still have defaults set for usernames and passwords or have one of the many with known vulnerabilities in it, then someone may have compromised it.

How often is this occurring?  I see that this is in a domain.  Is it possible the domain controller is a SBS 2011 or SBS 2008 server that might have Remote Web Workplace setup (acts as a gateway to allow valid users to access their computers using a web login)?  If someone has gotten hold of valid credentials then they may be attempting to RDP via that interface to your system.  

Are other computers getting these errors as well?  If you are not the IT admin, I would advise whoever is that there is a possible issue.  

Bottom line is that until you can explain it, you need to treat it as a threat.  If you want more assistance, post more information and we can help.
0
 

Author Comment

by:TcAnthony
Comment Utility
Yes, this is SBS2011. Nothing is still at default but it looks like I have some work to do. Thanks so much for your quick response. I will tack it down immediately. I very much appreciate your immediate answer!!
0
 

Author Closing Comment

by:TcAnthony
Comment Utility
Expert was amazingly quick and correct. I love Experts-Exchange for this very reason. I cannot do business without them!!
0
 
LVL 9

Expert Comment

by:bas2754
Comment Utility
You can go into the SBS Console and disable the Remote Access for each of your systems.  In your company firewall (unless the SBS server is acting as the firewall - hopefully not), you need to block access to the the RDP Port (probably forwarding to that server).

The following will also guide you through disabling RWW:
--------------------------------
https://technet.microsoft.com/en-us/library/cc527621(v=ws.11).aspx
--------------------------------

In all honesty if this is occurring you need to be ready to deal with a possibly breached server and implement whatever Disaster Response / Incident Response Plans you have in place.  In all systems, including the server, you will want to export and save the event logs.  Full Malware and Virus scans need to be done on each system - particularly the server.  Additionally check the security logs on the server if that is how it is occurring and see if you can match up logins to the times on your computer.  RWW does keep a log of users I believe so you can track down the offending one.  Change all passwords immediately, and if possible kill all inbound ports to your server (this WILL impact email, VPN, etc if your server is hosting those services to outside users).

If you are an organization that handles any kind of sensitive customer data (Credit Cards, Emails, Files, Medical Records, Etc...) be ready to potentially have to file a report.  If you have coverage from your insurance company covering Data Breaches, you may want to consider contacting your insurance representative.  Many times they have resources ready to step in and guide the process.  You might also want to consider doing a full image based backup of your server for potential post-incident forensic analysis.

I know it seems overboard, but it is better to be quick on the trigger to stop things than to shrug it off and regret it later.  

Let us know if we can help further.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now