Terminal Services / RDP Certificate Missing

Discussion in 'Virtuozzo Windows VPS Hosting' started by homefish, Dec 12, 2011.

  1. homefish

    homefish Perch

    I was updating my Terminal Services settings (Administration Tools > Terminal Services Configuration > Connections > General) and under the security section, i noticed in the Certificate field it lists my old VPS hostname (pre-waco migration) and when I click on edit, it opens a box that says "Select Certificate" but the list of certificates is empty.

    I then tried to go into the Certificate Authority to see if I could see anything in there, but as soon as I click on it, I get an error that says:

    Cannot manage Certificate Services. 
    The specified service does not exist as an installed service. 0x424 (WIN32: 1060)
    So, what gives? Does the certificate be updated in order to encrypt my TS/RDP sessions? Has it not been properly encrypted since the migration?
  2. Stephen

    Stephen US Operations Staff Member

    Actually the encryption is done still.

    Certificate services you can install if you wish to change the name. It is in windows components.
  3. homefish

    homefish Perch

    ok, good to know. thanks Stephen!
  4. homefish

    homefish Perch

    do you know why someone or something is constantly starting Terminal Service sessions using client name "a"... i sit and watch the terminal services manager and under the list of sessions, i see myself and i see the listener, and then every 25 seconds i see a new session trying to connect, and the client name is simply "a"... in the event viewer under System, it looks like for every connection attempt, the following event is logged:

    "Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."

    So is this someone trying to brute force their way in? Is there a reason why the client name is always "a"? is it some kind of exploit? and should i be concerned and is there a way to stop it?
  5. Stephen

    Stephen US Operations Staff Member

    It is RDP brute force, best to use IPsec and block them, or better yet block all but them and your own IPs and our tech support when needed.

    We can send you a base IPsec rule (but you really need static IP for this to work) otherwise, you can just use IPsec to block.

    RDP brute for is VEEEERRRYYY common.

    Also if you look in security logs, you can ID out the IP of that connection.
  6. homefish

    homefish Perch

    But why client name 'a'? Does Windows treat that as an alias for Administrator? I looked in the security log and i do see failed logins for 'Administrator' but in the system log i only see 'Remote session from client name a exceeded the maximum allowed failed logon attempts'. i assume those are the same attempts, yes?

    any experience with this?: http://www.2x.com/securerdp/

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services