locked
Kicked out of RDC sessions. Internet Explorer opens http://justmyworld.org/ RRS feed

  • Question

  • Hi,

    I am using my windows XP SP3 to connect through RDC v6.0.6001 to the company's windows 2003 server. Everyday around 11 EDT i get kicked out with a window saying

    "Your remote desktop session has ended. Another user connected to the remote computer, so your connection was lost. Try connecting again, or contact technical support for assistance."

    I quickly reconnect to the server to find internet explorer opened at http://justmyworld.org/ and the screen size has changed. One time i found that a keyboard in russian had been installed as well, which of course i uninstalled.

    I have installed Symantec Endpoint protection v.11 installed but that has found nothing wrong. I've scanned using Sysinternals as well as Sophos anti-rootkit tool but nothing is found. I've also ran the baseline security analyzer v2.2 and results are good. All this i've done at both 2003 server as well as XP computers. I've changed the RDC port in the XP computer thinking someone is connecting to my XP pc.

    Still the issue persists.

    Somebody's seen this? Is someone connecting to my Server or XP client? How can i fix this?

    Thanks,

    Wednesday, October 12, 2011 9:06 PM

Answers

  • Hi,


    Thanks for posting here.

     

    Is this in an active directory environment ? Are you the admin of this server host ?

    It appears there was other user logon this server with the same credential. Please first modify the password for this account and also go to check the members in local Remote Desktop Users group in order to verify who has the permission to logon this host through remote desktop.

     

    Enabling users to connect remotely to the server

    http://technet.microsoft.com/en-us/library/cc781509(WS.10).aspx

     

    Enabling and configure auditing feature and Verifying auditing logging will also help us to determine the hostname or IP address of suspected remote hosts that were connect to this server with the credential .

     

    Audit logon events

    http://technet.microsoft.com/en-us/library/cc787567(WS.10).aspx

     

    Furthermore, you will be suggested post to terminal service forum in order to get professional ways to secure the terminal services on this host in this scenario.

     

    http://social.technet.microsoft.com/forums/en-US/winserverTS/threads/

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 13, 2011 7:37 AM

All replies

  • Hi,


    Thanks for posting here.

     

    Is this in an active directory environment ? Are you the admin of this server host ?

    It appears there was other user logon this server with the same credential. Please first modify the password for this account and also go to check the members in local Remote Desktop Users group in order to verify who has the permission to logon this host through remote desktop.

     

    Enabling users to connect remotely to the server

    http://technet.microsoft.com/en-us/library/cc781509(WS.10).aspx

     

    Enabling and configure auditing feature and Verifying auditing logging will also help us to determine the hostname or IP address of suspected remote hosts that were connect to this server with the credential .

     

    Audit logon events

    http://technet.microsoft.com/en-us/library/cc787567(WS.10).aspx

     

    Furthermore, you will be suggested post to terminal service forum in order to get professional ways to secure the terminal services on this host in this scenario.

     

    http://social.technet.microsoft.com/forums/en-US/winserverTS/threads/

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 13, 2011 7:37 AM
  • Hi,

    Thanks for your suggestions. I changed the user password for the server as well as for the computer that accesses it with RDC and the unauthorized logons stopped. I also changed AV providers to a better brand.

    I was also using TCP View, but i could not get any details there.

    Thanks.

    Monday, November 21, 2011 5:43 PM