Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

RDWeb server getting hit with odd logon requests....

RDWeb server getting hit with odd logon requests....

RDWeb server getting hit with odd logon requests....

Hello all,
So we have an old 2008 RDWeb machine that is handling our remote sales peoples log on requests for RDWeb. We have it backed up with DUO dual authentication, just an FYI to show that this mildly insecure method is being handled by dual authentication for our protection. They are all able to log in fine and utilize the service and server. I had one user who was having dropped connection issues so I started poking around the server especially in the Event Viewer. I see that all normal calls for logins are handled correctly and show as an Audit Success in the Event Viewer. Although I noticed that there were 100s of rogue log in attempts, almost akin to a brute force attack. I jumped in the firewall and blocked all unknown IP addresses accessing this server and it stopped about 90% of these attempts but there are still some happening, which scares me. That means that these calls have to be either made from the server itself or on the network. I will attach a picture of one such event below to show you what Im talking about.

Notice the login account is Admin2, which is not a local account or a domain account and also that there is no network info to tract down where this came from. This happens about once a minute give or take but sometimes with different accounts that also do not exist such as Christine, testsub, SAMANTHA, and other random accounts. Some times under the Workstation Name it will say "workstation". We do not have a PC in AD or otherwise that is called workstation nor do we have any groups with that name.

I am at a total loss as to what to do. I do not see any rogue processes locally. I have disabled all scripts in the Task Scheduler. I do not see any rogue users logged into the server. My next idea is to wait until all remote users are off work and wireshark the machine to see if I can see any logon calls coming into the server. Not sure if that info would be encrypted so I may not be able to see it anyway.......

Any thoughts or suggestions would be helpful.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

RE: RDWeb server getting hit with odd logon requests....

Best I can tell with Wireshark is that the requests are coming from our Domain Controller. The requests are getting even more diverse in the user names it is calling now.....

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close