Questions

windows server 2003 remote desktop

Tags:
+
0 Votes
Locked

windows server 2003 remote desktop

xcabal12
we are have this strange problem with our windows server 2003 and remote desktoping in to it from the outside, it work fine for 3,4 days and then starts taking for forever to load the dell background without even show the login options before is kicks the connection out later it just starts locking up and then finally just never connects to the server, to solve it requires a server restart. i cant find anything wrong in the logs in the server and our router/firewall is just reporting dropped connections and i cant figure out whats going on or causing the problem, the router is set to allow the rdp so that not the issue,
  • +
    0 Votes
    Rob Kuhn

    How is it from the LAN side when it starts to bog down from the outside? Are you seeing the same thing or are things normal?

    +
    0 Votes
    xcabal12

    I cant say, the problem starts when nobody is around mostly happening at night. the next day nobody has any issues

    +
    0 Votes
    Rob Kuhn

    Do you have anything happening on that server at night? Virus scans, defrag job, backup job or some other scheduled task? Something that could perhaps not only be causing the server to bog down and/or perhaps cause a memory leak?

    Is there anything running in the background?

    +
    0 Votes
    xcabal12

    i made sure there is nothing running for the past month during the night hours but it still happens, i also did a port scan from the outside using nmap which showed that it started blocking all the ports but nothing is set in the router/firewall to block them at anytime

    +
    0 Votes

    Hm.

    Rob Kuhn

    It almost sounds like you're suffering from a DoS attack (Denial-of-Service).

    I don't know how easy or hard it is for you to do but one thing you can try is changing the public IP address and see how it goes. If you go that route, I might suggest you change the internal IP address too just in case the DoS attacks are actually coming from the inside of your firewall.

    But before you go through that aforementioned hassles, when connecting from the outside, do you have to establish a VPN connection first? Or do you just have the port open? If the later I would *strongly* suggest you close that port and put in a VPN connection. Even if it's just the Microsoft RAS/PPTP (it's real easy to setup and you can secure it).

    +
    0 Votes
    xcabal12

    im will look into getting the public ip change and setting up a vpn, the logs dont show anything like A DoS going on

    +
    0 Votes
    gdeangelis

    Have you logged in from the console and examined CPU and running tasks? Any new software, or changes recently ? I'd look at getting it off the network entirely for the same amount of time it would take to have issues normally, then access it from a laptop and a crossover cable. Like Rob mentioned above, you can at least isolate the problem. A good scan might turn up some goodies too! Anyone leaving term sessions up and running? This can chew up CPU. Also, when you boot the server, do you see any errors reported in post like CPU or memory? Maybe a fan failure?

    +
    0 Votes
    xcabal12

    nothing in the console that shouldnt be there, getting off the network is going to be tricky to say the least, nothing be in reported at boot.

    +
    0 Votes
    supm1ke

    Have you tried adjusting the connection settings on the Remote Desktop software itself before connecting? You may want to at least adjust it to something other than a LAN Connection to save in the network draw.

    Also, is this happening around the same time or does it vary?

    +
    0 Votes
    xcabal12

    it already on the lowest settings, and it happen mostly after everyone leaves work, but at different times

    +
    0 Votes
    gdeangelis

    Have you tried netstat or http://www.nirsoft.net/utils/cports.html to show ports in use? Also not sure what firewall you have or if you have access to it, but if your firewall has software to monitor like Cisco asdm, you could use that with both inside and outside addresses for the server and see if there is a DOS or something else going on. Maybe it's a virus or malware going out. I know you mentioned logs before, so if you were referring to the firewall, I apologize for the repetition. The real time GUI can be a big help. If nothing else you can rule out traffic from the outside, and you can let it run for a while to capture what's going on before the crash, so to speak.

    +
    0 Votes
    xcabal12

    i will try that Monday and i will run a virus scan on all the computers as well, i have already started the routers monitoring as well as packet capture so hopefully i will be able to resolve this issue

    +
    0 Votes
    Rob Kuhn

    Everyone who has replied have left some good basic suggestions to check out.

    Since it sounds as if you have the RDP port open in your firewall, I would close that port immediately and put up some sort of VPN. As mentioned, the Microsoft RAS/PPTP is easy and can be setup fairly quickly.

    Even if this doesn't clear up the problem, you would have at least secured, IMHO, a major security hole! :)

    What is this server's role? In other words why do people RDP to it? Knowing the role of the server may help us isolate the problem even more.

    +
    0 Votes
    robo_dev

    Indeed, there are brute force hacking tools like Tsgrinder and tscrack that can cause exactly the symptoms you describe.

    Since it does not log more than three failed connection attempts, tsgrinder attempts two connections, then resets, two again, then resets.

    Tsgrinder brute forces the administrator account, since it cannot be locked out for local logons. The TS logon process uses an encrypted channel so it cannot typically be spotted by an IDS system.

    I would bet if you logged the IPs of inbound connection attempts you will see LOTS of attempts per second.

    If nothing else, use some port other than 3389. Security through obscurity is better than no security

    +
    0 Votes
    xcabal12

    i have set up an external monitor setup to find out where the issue is. i have changed the ports for rdp, hopefully i will find out where the problem is.
    i will post update once i have enough information.

  • +
    0 Votes
    Rob Kuhn

    How is it from the LAN side when it starts to bog down from the outside? Are you seeing the same thing or are things normal?

    +
    0 Votes
    xcabal12

    I cant say, the problem starts when nobody is around mostly happening at night. the next day nobody has any issues

    +
    0 Votes
    Rob Kuhn

    Do you have anything happening on that server at night? Virus scans, defrag job, backup job or some other scheduled task? Something that could perhaps not only be causing the server to bog down and/or perhaps cause a memory leak?

    Is there anything running in the background?

    +
    0 Votes
    xcabal12

    i made sure there is nothing running for the past month during the night hours but it still happens, i also did a port scan from the outside using nmap which showed that it started blocking all the ports but nothing is set in the router/firewall to block them at anytime

    +
    0 Votes

    Hm.

    Rob Kuhn

    It almost sounds like you're suffering from a DoS attack (Denial-of-Service).

    I don't know how easy or hard it is for you to do but one thing you can try is changing the public IP address and see how it goes. If you go that route, I might suggest you change the internal IP address too just in case the DoS attacks are actually coming from the inside of your firewall.

    But before you go through that aforementioned hassles, when connecting from the outside, do you have to establish a VPN connection first? Or do you just have the port open? If the later I would *strongly* suggest you close that port and put in a VPN connection. Even if it's just the Microsoft RAS/PPTP (it's real easy to setup and you can secure it).

    +
    0 Votes
    xcabal12

    im will look into getting the public ip change and setting up a vpn, the logs dont show anything like A DoS going on

    +
    0 Votes
    gdeangelis

    Have you logged in from the console and examined CPU and running tasks? Any new software, or changes recently ? I'd look at getting it off the network entirely for the same amount of time it would take to have issues normally, then access it from a laptop and a crossover cable. Like Rob mentioned above, you can at least isolate the problem. A good scan might turn up some goodies too! Anyone leaving term sessions up and running? This can chew up CPU. Also, when you boot the server, do you see any errors reported in post like CPU or memory? Maybe a fan failure?

    +
    0 Votes
    xcabal12

    nothing in the console that shouldnt be there, getting off the network is going to be tricky to say the least, nothing be in reported at boot.

    +
    0 Votes
    supm1ke

    Have you tried adjusting the connection settings on the Remote Desktop software itself before connecting? You may want to at least adjust it to something other than a LAN Connection to save in the network draw.

    Also, is this happening around the same time or does it vary?

    +
    0 Votes
    xcabal12

    it already on the lowest settings, and it happen mostly after everyone leaves work, but at different times

    +
    0 Votes
    gdeangelis

    Have you tried netstat or http://www.nirsoft.net/utils/cports.html to show ports in use? Also not sure what firewall you have or if you have access to it, but if your firewall has software to monitor like Cisco asdm, you could use that with both inside and outside addresses for the server and see if there is a DOS or something else going on. Maybe it's a virus or malware going out. I know you mentioned logs before, so if you were referring to the firewall, I apologize for the repetition. The real time GUI can be a big help. If nothing else you can rule out traffic from the outside, and you can let it run for a while to capture what's going on before the crash, so to speak.

    +
    0 Votes
    xcabal12

    i will try that Monday and i will run a virus scan on all the computers as well, i have already started the routers monitoring as well as packet capture so hopefully i will be able to resolve this issue

    +
    0 Votes
    Rob Kuhn

    Everyone who has replied have left some good basic suggestions to check out.

    Since it sounds as if you have the RDP port open in your firewall, I would close that port immediately and put up some sort of VPN. As mentioned, the Microsoft RAS/PPTP is easy and can be setup fairly quickly.

    Even if this doesn't clear up the problem, you would have at least secured, IMHO, a major security hole! :)

    What is this server's role? In other words why do people RDP to it? Knowing the role of the server may help us isolate the problem even more.

    +
    0 Votes
    robo_dev

    Indeed, there are brute force hacking tools like Tsgrinder and tscrack that can cause exactly the symptoms you describe.

    Since it does not log more than three failed connection attempts, tsgrinder attempts two connections, then resets, two again, then resets.

    Tsgrinder brute forces the administrator account, since it cannot be locked out for local logons. The TS logon process uses an encrypted channel so it cannot typically be spotted by an IDS system.

    I would bet if you logged the IPs of inbound connection attempts you will see LOTS of attempts per second.

    If nothing else, use some port other than 3389. Security through obscurity is better than no security

    +
    0 Votes
    xcabal12

    i have set up an external monitor setup to find out where the issue is. i have changed the ports for rdp, hopefully i will find out where the problem is.
    i will post update once i have enough information.