1 hour of Terminal Server Failed Login Attempts But No Event in Security Logs
For the past month I have notice the Error below showing up in my System Events Log on my web server. It happens every 8 seconds for 50 - 59 minutes then stops. There is no pattern of the attempted breach, if that is what this, some days no attempts others
2 attempts other days ever 3 hours. The Web Server is on Windows Server 2003 SP2 one week delay in security updates, general updates and hot fixes (Running IIS 6, Obviously).
"Source: TermService"
"Catacory: None"
"Event ID: 1012"
"Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."
I have tried to match up the log-in failures to events in the Security Events Log but no joy. I am a System/Network Admin by default not by choice and I am not sure how to find the IP address(es) these attempts are coming from, how to limit number
of Terminal Server Log-in Attemps, lock the offending IP for 3 days and then allowing the IP address access again(I want to allow the IP addresses to see my web server after 2 or 3 days in case someone spoofed an IP address that might actually need to see
my web server.
Thanks in advanced
Grajek
December 22nd, 2011 1:09pm
Hi Grajek,
If all you are looking for is the IP Address, you can use a packet capture tool like NetMon with filters for Port 3389 (Default RDS port) and it will show you the source IP.
http://www.microsoft.com/download/en/details.aspx?id=4865
CharlesThis posting is provided AS IS with no warranties,and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial
to other community members reading the thread
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2011 1:32pm
Is Port 3389 the default port used to start a terminal session? If so great thanks. I would still like to know where to begin looking and implementing a way to block the IP after 50 tries to connect through Terminal Services than unblock after a set amount
of time.
THanks
Grajek
December 22nd, 2011 1:45pm
3389 is the default destination port (Edit: which will be the port being accessed on your server), the source port will vary. (http://technet.microsoft.com/en-us/library/cc776289%28v=ws.10%29.aspx#w2k3tr_ts_tools_avec)
I'm personally not aware of a dynamic way built into the Server OS to close a port based on access attempts. You could possibly create a scheduled task script, which monitors the event log for this notification, and then after X attempts in a timespan, closes
the port on the Windows firewall.
Sorry for the slow response,
Charles
This posting is provided AS IS with no warranties,and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This
can be beneficial to other community members reading the thread
Free Windows Admin Tool Kit Click here and download it now
December 24th, 2011 8:29pm
"'I'm personally not aware of a dynamic way built into the Server OS to close a port based on access attempts. You could possibly create a scheduled task script, which monitors the event log for this notification,
and then after X attempts in a timespan, closes the port on the Windows firewall."
No worries. The scheduled task is a great idea, I didn't even think about that. Happy New Year
Thanks
Grajek
December 26th, 2011 2:46pm