?
Solved

Windows Event 56 TermDD. Am I getting hacked?

Posted on 2016-09-01
4
Medium Priority
?
850 Views
Last Modified: 2016-09-01
I have a Windows 7 Pro workstation within a domain that is getting a Windows Event 56 TermDD.
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client (IP address).
I just noticed this and I am seeing at least 8 different public IP addresses listed. Am I getting hacked? Remote Desktop is turned on for this machine but port forwarding is not set up for this machine in the firewall.
Is this a false alarm?
0
Comment
Question by:TcAnthony
  • 2
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
bas2754 earned 2000 total points
ID: 41780723
No, this is not a false alarm.  If you are getting that event in your system from multiple different external IP addresses, then it is a strong probability somehow someone is trying to access your system.

Are you certain your firewall has not been compromised?  You can also turn on your computer's firewall and ensure that you disabled the RDP port in (3389) and ensure that it is not possible to connect to it.  I can't tell you how it is occurring without knowing more about your setup, but if you have an older firewall and you have older firmware on it and have not updated it, or perhaps still have defaults set for usernames and passwords or have one of the many with known vulnerabilities in it, then someone may have compromised it.

How often is this occurring?  I see that this is in a domain.  Is it possible the domain controller is a SBS 2011 or SBS 2008 server that might have Remote Web Workplace setup (acts as a gateway to allow valid users to access their computers using a web login)?  If someone has gotten hold of valid credentials then they may be attempting to RDP via that interface to your system.  

Are other computers getting these errors as well?  If you are not the IT admin, I would advise whoever is that there is a possible issue.  

Bottom line is that until you can explain it, you need to treat it as a threat.  If you want more assistance, post more information and we can help.
0
 

Author Comment

by:TcAnthony
ID: 41780729
Yes, this is SBS2011. Nothing is still at default but it looks like I have some work to do. Thanks so much for your quick response. I will tack it down immediately. I very much appreciate your immediate answer!!
0
 

Author Closing Comment

by:TcAnthony
ID: 41780732
Expert was amazingly quick and correct. I love Experts-Exchange for this very reason. I cannot do business without them!!
1
 
LVL 9

Expert Comment

by:bas2754
ID: 41780741
You can go into the SBS Console and disable the Remote Access for each of your systems.  In your company firewall (unless the SBS server is acting as the firewall - hopefully not), you need to block access to the the RDP Port (probably forwarding to that server).

The following will also guide you through disabling RWW:
--------------------------------
https://technet.microsoft.com/en-us/library/cc527621(v=ws.11).aspx
--------------------------------

In all honesty if this is occurring you need to be ready to deal with a possibly breached server and implement whatever Disaster Response / Incident Response Plans you have in place.  In all systems, including the server, you will want to export and save the event logs.  Full Malware and Virus scans need to be done on each system - particularly the server.  Additionally check the security logs on the server if that is how it is occurring and see if you can match up logins to the times on your computer.  RWW does keep a log of users I believe so you can track down the offending one.  Change all passwords immediately, and if possible kill all inbound ports to your server (this WILL impact email, VPN, etc if your server is hosting those services to outside users).

If you are an organization that handles any kind of sensitive customer data (Credit Cards, Emails, Files, Medical Records, Etc...) be ready to potentially have to file a report.  If you have coverage from your insurance company covering Data Breaches, you may want to consider contacting your insurance representative.  Many times they have resources ready to step in and guide the process.  You might also want to consider doing a full image based backup of your server for potential post-incident forensic analysis.

I know it seems overboard, but it is better to be quick on the trigger to stop things than to shrug it off and regret it later.  

Let us know if we can help further.
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question