Windows 7 denial of service: Multiple remote logon attempts
Hi, In order to protect your computer safely, I would like suggest you download MSE to scan you system and make sure you enable your Windows Firewall. Meanwhile, if you suspect some hack would utilize RDP to attack your computer, you can try Restrict each user to one session Policy. Regards.Spencer TechNet Community Support
October 24th, 2012 5:45am

Hi, In order to protect your computer safely, I would like suggest you download MSE to scan you system and make sure you enable your Windows Firewall. Meanwhile, if you suspect some hack would utilize RDP to attack your computer, you can try Restrict each user to one session Policy. Regards.Spencer TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2012 5:45am

This last week, a work machine of mine experienced what was probably an unintentional remote desktop denial of service attack, by some over-eager remote hacker. Someone on another continent was doing a mass-logon attempt to hack my computer at 1 AM, and the Windows 7 Task Manager showed some 15-20 "WINLOGON.EXE" and "CSRSS.EXE" all running at the same time. The machine ran so slowly for me while trying to do actual work on it, that at first I suspected malware. Rebooting did not help because the remote attacker resumed their hacking attempts after the restart. Some poking around with "NETSTAT" revealed a large number of remote connections to port 3389, which is remote desktop services. The machine continued to crawl and sometimes completely hang FireFox and the desktop while I worked out the attacker's home network range, doing an ARIN WHOIS lookup on his address. Finally when I blocked the attacker's network range at the site firewall, all the WINLOGON and CSRSS processes suddenly closed, and the machine was speedy again. , So then, is there some way to limit a remote IP address to a single Remote Desktop "logon session"? It should not be possible for an external not-logged-on user to cause a desktop machine to drag to a crawl, with it responding to 20+ simultaneous remote logon attempts from a single remote address. Since the Windows 7 desktop OS only allows one logged remote user account at a time anyway, there should never be a situation where a single remote IP address has two or more logon attempts in progress. I would say that if a remote address has one RDP logon attempt in progress and they try to open a second RDP connection, the first connection should be forced to close and the second delayed by five minutes before they can try to logon with the second connection. , This remote desktop denial of service protection would generally only apply to desktop operating systems, which due to Microsoft's licensing, only allow one remote or local user at any time. But it could also apply to servers that don't run Terminal Services and don't need more than one desktop user logged on, for administrative purposes.
October 28th, 2012 6:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics