- Follow via:
- RSS
- Email Alert
Question
0
Votes
windows server 2003 remote desktop
we are have this strange problem with our windows server 2003 and remote desktoping in to it from the outside, it work fine for 3,4 days and then starts taking for forever to load the dell background without even show the login options before is kicks the connection out later it just starts locking up and then finally just never connects to the server, to solve it requires a server restart. i cant find anything wrong in the logs in the server and our router/firewall is just reporting dropped connections and i cant figure out whats going on or causing the problem, the router is set to allow the rdp so that not the issue,
5th Jul
Answers (8)
0
Votes
what about from the LAN side?
How is it from the LAN side when it starts to bog down from the outside? Are you seeing the same thing or are things normal?
6th Jul
Replies
I cant say, the problem starts when nobody is around mostly happening at night. the next day nobody has any issues
xcabal12
6th Jul
0
Votes
At night?
Do you have anything happening on that server at night? Virus scans, defrag job, backup job or some other scheduled task? Something that could perhaps not only be causing the server to bog down and/or perhaps cause a memory leak?
Is there anything running in the background?
Is there anything running in the background?
6th Jul
Replies
i made sure there is nothing running for the past month during the night hours but it still happens, i also did a port scan from the outside using nmap which showed that it started blocking all the ports but nothing is set in the router/firewall to block them at anytime
xcabal12
6th Jul
0
Votes
Hm.
It almost sounds like you're suffering from a DoS attack (Denial-of-Service).
I don't know how easy or hard it is for you to do but one thing you can try is changing the public IP address and see how it goes. If you go that route, I might suggest you change the internal IP address too just in case the DoS attacks are actually coming from the inside of your firewall.
But before you go through that aforementioned hassles, when connecting from the outside, do you have to establish a VPN connection first? Or do you just have the port open? If the later I would *strongly* suggest you close that port and put in a VPN connection. Even if it's just the Microsoft RAS/PPTP (it's real easy to setup and you can secure it).
I don't know how easy or hard it is for you to do but one thing you can try is changing the public IP address and see how it goes. If you go that route, I might suggest you change the internal IP address too just in case the DoS attacks are actually coming from the inside of your firewall.
But before you go through that aforementioned hassles, when connecting from the outside, do you have to establish a VPN connection first? Or do you just have the port open? If the later I would *strongly* suggest you close that port and put in a VPN connection. Even if it's just the Microsoft RAS/PPTP (it's real easy to setup and you can secure it).
6th Jul
Replies
im will look into getting the public ip change and setting up a vpn, the logs dont show anything like A DoS going on
xcabal12
6th Jul
0
Votes
Thought
Have you logged in from the console and examined CPU and running tasks? Any new software, or changes recently ? I'd look at getting it off the network entirely for the same amount of time it would take to have issues normally, then access it from a laptop and a crossover cable. Like Rob mentioned above, you can at least isolate the problem. A good scan might turn up some goodies too! Anyone leaving term sessions up and running? This can chew up CPU. Also, when you boot the server, do you see any errors reported in post like CPU or memory? Maybe a fan failure?
6th Jul
Replies
nothing in the console that shouldnt be there, getting off the network is going to be tricky to say the least, nothing be in reported at boot.
xcabal12
7th Jul
0
Votes
Remote Desktop Connection Configuration
Have you tried adjusting the connection settings on the Remote Desktop software itself before connecting? You may want to at least adjust it to something other than a LAN Connection to save in the network draw.
Also, is this happening around the same time or does it vary?
Also, is this happening around the same time or does it vary?
7th Jul
Replies
it already on the lowest settings, and it happen mostly after everyone leaves work, but at different times
xcabal12
8th Jul
0
Votes
Monitor ports
Have you tried netstat or http://www.nirsoft.net/utils/cports.html to show ports in use? Also not sure what firewall you have or if you have access to it, but if your firewall has software to monitor like Cisco asdm, you could use that with both inside and outside addresses for the server and see if there is a DOS or something else going on. Maybe it's a virus or malware going out. I know you mentioned logs before, so if you were referring to the firewall, I apologize for the repetition. The real time GUI can be a big help. If nothing else you can rule out traffic from the outside, and you can let it run for a while to capture what's going on before the crash, so to speak.
8th Jul
Replies
i will try that Monday and i will run a virus scan on all the computers as well, i have already started the routers monitoring as well as packet capture so hopefully i will be able to resolve this issue
xcabal12
8th Jul
0
Votes
Good suggestions...
Everyone who has replied have left some good basic suggestions to check out.
Since it sounds as if you have the RDP port open in your firewall, I would close that port immediately and put up some sort of VPN. As mentioned, the Microsoft RAS/PPTP is easy and can be setup fairly quickly.
Even if this doesn't clear up the problem, you would have at least secured, IMHO, a major security hole!
What is this server's role? In other words why do people RDP to it? Knowing the role of the server may help us isolate the problem even more.
Since it sounds as if you have the RDP port open in your firewall, I would close that port immediately and put up some sort of VPN. As mentioned, the Microsoft RAS/PPTP is easy and can be setup fairly quickly.
Even if this doesn't clear up the problem, you would have at least secured, IMHO, a major security hole!
What is this server's role? In other words why do people RDP to it? Knowing the role of the server may help us isolate the problem even more.
9th Jul
Replies
Indeed, there are brute force hacking tools like Tsgrinder and tscrack that can cause exactly the symptoms you describe.
Since it does not log more than three failed connection attempts, tsgrinder attempts two connections, then resets, two again, then resets.
Tsgrinder brute forces the administrator account, since it cannot be locked out for local logons. The TS logon process uses an encrypted channel so it cannot typically be spotted by an IDS system.
I would bet if you logged the IPs of inbound connection attempts you will see LOTS of attempts per second.
If nothing else, use some port other than 3389. Security through obscurity is better than no security
Since it does not log more than three failed connection attempts, tsgrinder attempts two connections, then resets, two again, then resets.
Tsgrinder brute forces the administrator account, since it cannot be locked out for local logons. The TS logon process uses an encrypted channel so it cannot typically be spotted by an IDS system.
I would bet if you logged the IPs of inbound connection attempts you will see LOTS of attempts per second.
If nothing else, use some port other than 3389. Security through obscurity is better than no security
robo_dev
9th Jul
0
Votes
update
i have set up an external monitor setup to find out where the issue is. i have changed the ports for rdp, hopefully i will find out where the problem is.
i will post update once i have enough information.
i will post update once i have enough information.
11th Jul
