Event ID 1158: "Remote Desktop Services accepted a connection from IP address xxx.xxx.xxx.xxx"

security windows-server-2012-r2 rdp windows-event-log
7,705

No, that event alone does not necessarily mean that an unauthorized person logged in to your server. Those events simply indicate that a TCP connection was established - it doesn't mean they entered valid credentials.

When you expose any service to the internet, you will see tons of random attempts to connect. All day, every day. Personally, I don't think exposing RDP to the internet is that dangerous, as long as you follow a few rules:

  • Always stay up to date with security patches.
  • Always use an extremely strong password.
  • Rename your administrator account.
  • Always have Network Level Authentication (NLA) enabled. This is the setting that says "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)"

There have been a few security bulletins involving RDP over the last few years, but each time, the use of NLA mitigated the exploit. So never, ever turn it off.

The ultimate authority for knowing when someone has successfully logged on to your server or unsuccessfully tried to log on to your server is the old, trusty Security log.

You will no doubt see many Audit Failure type events in there that correspond to random people banging away at your server, just trying to guess your password.

Any time someone logs on successfully, an "Audit Success" type event will be recorded in the Security event log, event ID 4624, and it will say "An account was successfully logged on." Since you know they will have had to come in through RDP, since that is the only port open in your firewall, the Logon Type will be 2 (interactive.) 10 for "Remote Interactive"

Another event log that is probably easier to sift through is the "TerminalServices-RemoteConnectionManager" log. User logon events are recorded there, too. Look for Event ID 1149 which says 

Remote Desktop Services: User authentication succeeded:

User: Administrator
Domain: COMPUTER
Source Network Address: 8.8.8.8

Now if you see an event like that, that you can't explain, then you can start worrying. :)

Share:
7,705
Konstantinos Xanthopoulos
Author by

Konstantinos Xanthopoulos

Updated on September 18, 2022

Comments

  • Konstantinos Xanthopoulos
    Konstantinos Xanthopoulos over 1 year

    I have set up a home office with a local domain with just one Windows Server 2012 R2 and i have allowed port 3389 from router to my server.

    While knowing this is dangerous, i set it up that way in order to perform several audit tests i have been told to.

    I have ZoneAlarm free edition installed hence Windows Firewall is disabled.

    After allowing 3389 port for about a month, i have noticed this event log on Event Viewer:

    "Event ID 1158: "Remote Desktop Services accepted a connection from IP address xxx.xxx.xxx.xxx"

    As those IP's originating from several countries, i wonder if this event log means that those IPs actually broke into my system or if this event log just alerts for an incoming connection that it could either be accepted or rejected depending on logon success or failure correspondingly.

    Please excuse me if this question could be easily answered but i couldn't find any relevant answer except from the risks that one takes opening RDP with its default port.

  • Lucky Luke
    Lucky Luke almost 9 years
    Slight correction, the logon type would be 11 for remote desktop. 2 is only for physical console logons (or when using a virtualization client).
  • Ryan Ries
    Ryan Ries almost 9 years
    @LuckyLuke Thank you, I'll meet you at 10. :)
  • Lucky Luke
    Lucky Luke almost 9 years
    I was this close to verifying :-) Yes, 10 of course. 11 are cached credentials I believe. Thanks!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Event 4625 Audit Failure NULL SID failed network logons
Azure windows VM shows full black screen in RDP
Windows Server 2012 RDP: User Profile cannot be loaded
Server 2012 R2 TCP Timestamps
Remote Desktop Prompts for credentials twice
Server 2012 and RDP Properties
Windows Server 2003 - "The security log on this system is full." message when logging in
Server 2012 R2 RDS does not display connections to one Host, will not redirect WAN users to the other
Is it possible to enable logging of RDP connections / disconnections under Windows XP and Windows 7?
Windows Security Options over RDP in Server 2012+