| Event Id | 1006 |
| Source | TermService |
| Description | The terminal server received large number of incomplete connections. The system may be under attack. |
| Event Information | Following information from a newsgroup post may help: This sort of event may be logged into the event viewer whenever somebody repeatedly connects to the Terminal Server. This may be done by using some tool with the intention of a server attack, but it may not be the reason in all cases. If many users start attempting to connect to Terminal Server at the same time, this would also lead to this type of event occurring. A poorly written application also may lead to this event. After the server accepts a socket connection request, it will associate with a session. Whenever a terminal server gets too many sockets waiting to be connected with a session, the server will start to log this event. It is recommended to monitor the port by using a network monitoring tool and correlate the information in event viewer, for deciding further action. You can thus block/filer that specific user or the source of connection through a firewall. Following MS article will give more information. |
| Reference Links | You
cannot completely disconnect a Terminal Server connection An useful link |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.