Terminal Services / RDP Certificate Missing

H

homefish

Perch
I was updating my Terminal Services settings (Administration Tools > Terminal Services Configuration > Connections > General) and under the security section, i noticed in the Certificate field it lists my old VPS hostname (pre-waco migration) and when I click on edit, it opens a box that says "Select Certificate" but the list of certificates is empty.

I then tried to go into the Certificate Authority to see if I could see anything in there, but as soon as I click on it, I get an error that says:

Code: 
Cannot manage Certificate Services. 

The specified service does not exist as an installed service. 0x424 (WIN32: 1060)

So, what gives? Does the certificate be updated in order to encrypt my TS/RDP sessions? Has it not been properly encrypted since the migration?
 
Actually the encryption is done still.

Certificate services you can install if you wish to change the name. It is in windows components.
 
do you know why someone or something is constantly starting Terminal Service sessions using client name "a"... i sit and watch the terminal services manager and under the list of sessions, i see myself and i see the listener, and then every 25 seconds i see a new session trying to connect, and the client name is simply "a"... in the event viewer under System, it looks like for every connection attempt, the following event is logged:

"Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."

So is this someone trying to brute force their way in? Is there a reason why the client name is always "a"? is it some kind of exploit? and should i be concerned and is there a way to stop it?
 
It is RDP brute force, best to use IPsec and block them, or better yet block all but them and your own IPs and our tech support when needed.

We can send you a base IPsec rule (but you really need static IP for this to work) otherwise, you can just use IPsec to block.

RDP brute for is VEEEERRRYYY common.

Also if you look in security logs, you can ID out the IP of that connection.
 
But why client name 'a'? Does Windows treat that as an alias for Administrator? I looked in the security log and i do see failed logins for 'Administrator' but in the system log i only see 'Remote session from client name a exceeded the maximum allowed failed logon attempts'. i assume those are the same attempts, yes?

any experience with this?: http://www.2x.com/securerdp/
 
You must log in or register to reply here.
Back
Top