Windows Event 56 TermDD. Am I getting hacked?

Posted on 2016-09-01
Last Modified: 2016-09-01
I have a Windows 7 Pro workstation within a domain that is getting a Windows Event 56 TermDD.
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client (IP address).
I just noticed this and I am seeing at least 8 different public IP addresses listed. Am I getting hacked? Remote Desktop is turned on for this machine but port forwarding is not set up for this machine in the firewall.
Is this a false alarm?
Question by:TcAnthony
  • 2
  • 2

Accepted Solution

bas2754 earned 500 total points
ID: 41780723
No, this is not a false alarm.  If you are getting that event in your system from multiple different external IP addresses, then it is a strong probability somehow someone is trying to access your system.

Are you certain your firewall has not been compromised?  You can also turn on your computer's firewall and ensure that you disabled the RDP port in (3389) and ensure that it is not possible to connect to it.  I can't tell you how it is occurring without knowing more about your setup, but if you have an older firewall and you have older firmware on it and have not updated it, or perhaps still have defaults set for usernames and passwords or have one of the many with known vulnerabilities in it, then someone may have compromised it.

How often is this occurring?  I see that this is in a domain.  Is it possible the domain controller is a SBS 2011 or SBS 2008 server that might have Remote Web Workplace setup (acts as a gateway to allow valid users to access their computers using a web login)?  If someone has gotten hold of valid credentials then they may be attempting to RDP via that interface to your system.  

Are other computers getting these errors as well?  If you are not the IT admin, I would advise whoever is that there is a possible issue.  

Bottom line is that until you can explain it, you need to treat it as a threat.  If you want more assistance, post more information and we can help.

Author Comment

ID: 41780729
Yes, this is SBS2011. Nothing is still at default but it looks like I have some work to do. Thanks so much for your quick response. I will tack it down immediately. I very much appreciate your immediate answer!!

Author Closing Comment

ID: 41780732
Expert was amazingly quick and correct. I love Experts-Exchange for this very reason. I cannot do business without them!!

Expert Comment

ID: 41780741
You can go into the SBS Console and disable the Remote Access for each of your systems.  In your company firewall (unless the SBS server is acting as the firewall - hopefully not), you need to block access to the the RDP Port (probably forwarding to that server).

The following will also guide you through disabling RWW:

In all honesty if this is occurring you need to be ready to deal with a possibly breached server and implement whatever Disaster Response / Incident Response Plans you have in place.  In all systems, including the server, you will want to export and save the event logs.  Full Malware and Virus scans need to be done on each system - particularly the server.  Additionally check the security logs on the server if that is how it is occurring and see if you can match up logins to the times on your computer.  RWW does keep a log of users I believe so you can track down the offending one.  Change all passwords immediately, and if possible kill all inbound ports to your server (this WILL impact email, VPN, etc if your server is hosting those services to outside users).

If you are an organization that handles any kind of sensitive customer data (Credit Cards, Emails, Files, Medical Records, Etc...) be ready to potentially have to file a report.  If you have coverage from your insurance company covering Data Breaches, you may want to consider contacting your insurance representative.  Many times they have resources ready to step in and guide the process.  You might also want to consider doing a full image based backup of your server for potential post-incident forensic analysis.

I know it seems overboard, but it is better to be quick on the trigger to stop things than to shrug it off and regret it later.  

Let us know if we can help further.

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gmail Account risks 4 89
PCI scan - CIFS NULL Session Permitted 10 103
Changing the domain admin password 9 84
Is my window10 Safe? after a malware removed by AV? 5 47
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question