TS session without username

-

our client has terminal server 30 people access internet. we have been noticing login  @ ts not show on "users" tab, shows on "sessions" tab shown link: http://www.chicagotech.net/remoteissues/ts4.htm

it appear minute, disappear, reappear different id. know might b. hacking attempt? i've never seen before, trying connect. don't know "connected" means...

1 time, client user name iphone using id 0 should console session. right? ideas?

 

bob lin, ms-mvp networking, internet, routing, vpn troubleshooting on

http://www.chicagotech.net

how setup windows, network, vpn & remote access on

http://www.howtonetworking.com

hi bob,

i see screen shot server 2003, response reflect that.

when user attempts connect ts using remote desktop client , makes server's logon screen, session in connected state.  if authenticate session transition active state.  if not enter valid credentials within timeout period, or enter invalid credentials many times, session end.

the symptoms seeing may user or users have temporarily forgotten user name/password and/or typing incorrectly and/or getting distracted before completing logon.  in rare cases have seen connection problems cause users--they logon screen, not complete process before getting disconnected.  of course possible unauthorized person attempting access server.

you need more investigation make determination.  make sure failure/success auditing of logons enabled, , check security log clues.  example, if someone attempts log on invalid credentials see 529 event (failure audit) user name used source ip address.  for successful logons see 528 event (success audit) with the username , source ip.  other pertinent piece pay attention client names show in ts manager when happens , compare client names have logged on successfully in past.

examine logs match between ip addresses notice strange connection attempt versus ip addresses connect.  if there matches know user having issues or if ip address or addresses keep making failed attempts know if server under attack.  there automated programs will keep attempting connect ts servers on internet using username/password guessing.  1 of common clues series of attempted logons user name of administrator.

if maximum number of failed logons is reached during single session see event entry termservice in system log well.

-tp 



Windows Server  >  Remote Desktop Services (Terminal Services)



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more