Jump to content

ASP.NET logged in TS?

Guest Bennett

By Guest Bennett
in Windows NT Server

 Share

Recommended Posts

Guest Bennett

Guest Bennett

Posted
Posted

I just checking a client's TS sessions, and saw the ASP.NET account had

logged in over the weekend and had been disconnected for 17 hours. I know

ASP.NET is a worker process, but why would it be logged in to TS? Would the

ASP.NET account be hosting a TS session for an app (which doesn't make sense

to me), or should I be concerned that someone set ASP.NET random password to

something known and is using it as a TS backdoor?

 

Has anyone ever seen ASP.NET logged into TS?

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Rob Leitman [MSFT]

Guest Rob Leitman [MSFT]

Posted
Posted

Re: ASP.NET logged in TS?

 

"Bennett" <Bennett@discussions.microsoft.com> wrote in message

news:80D51C25-D7AF-4350-94A9-16A81617C1BC@microsoft.com...

>I just checking a client's TS sessions, and saw the ASP.NET account had

> logged in over the weekend and had been disconnected for 17 hours. I know

> ASP.NET is a worker process, but why would it be logged in to TS? Would

> the

> ASP.NET account be hosting a TS session for an app (which doesn't make

> sense

> to me), or should I be concerned that someone set ASP.NET random password

> to

> something known and is using it as a TS backdoor?

>

> Has anyone ever seen ASP.NET logged into TS?

 

 

ASP.NET account shouldn't be logged in unless you're running a web server on

that machine. Do you have any evidence that the account came in over TS?

 

Your best bet would be to uninstall IIS.

 

Rob

Guest Bennett

Guest Bennett

Posted
Posted

Re: ASP.NET logged in TS?

 

"Rob Leitman [MSFT]" wrote:

> "Bennett" <Bennett@discussions.microsoft.com> wrote in message

> news:80D51C25-D7AF-4350-94A9-16A81617C1BC@microsoft.com...

> >I just checking a client's TS sessions, and saw the ASP.NET account had

> > logged in over the weekend and had been disconnected for 17 hours. I know

> > ASP.NET is a worker process, but why would it be logged in to TS? Would

> > the

> > ASP.NET account be hosting a TS session for an app (which doesn't make

> > sense

> > to me), or should I be concerned that someone set ASP.NET random password

> > to

> > something known and is using it as a TS backdoor?

> >

> > Has anyone ever seen ASP.NET logged into TS?

>

>

> ASP.NET account shouldn't be logged in unless you're running a web server on

> that machine. Do you have any evidence that the account came in over TS?

>

> Your best bet would be to uninstall IIS.

>

> Rob

>

 

IIS isn't installed on this server. Thought it was required for the SQL

Server & medical software they use, but I guess not.

 

For evidence, as I said, TS Manager showed ASP.NET had been "disconnected"

for ~17 hours, so some person/app obviously knew the password and connected.

 

This is a new client and I'm wondering if the previous IT or possibly the

medical software techs are using ASP.NET to remote in. I couldn't login to

the ASP.NET connection because I don't know the password, so I just

terminated the connection. Seems odd that someone would use it as a backdoor

then disconnect instead of log off, so I'm just trying to confirm whether

there's any reason for ASP.NET to login to TS on its own before I go through

the trouble of resetting its password.

Guest Rob Leitman [MSFT]

Guest Rob Leitman [MSFT]

Posted
Posted

Re: ASP.NET logged in TS?

 

"Bennett" <Bennett@discussions.microsoft.com> wrote in message

news:29BF36CA-D5F5-4F32-9887-F2DD00ABE339@microsoft.com...

> "Rob Leitman [MSFT]" wrote:

>

>> "Bennett" <Bennett@discussions.microsoft.com> wrote in message

>> news:80D51C25-D7AF-4350-94A9-16A81617C1BC@microsoft.com...

>> >I just checking a client's TS sessions, and saw the ASP.NET account had

>> > logged in over the weekend and had been disconnected for 17 hours. I

>> > know

>> > ASP.NET is a worker process, but why would it be logged in to TS?

>> > Would

>> > the

>> > ASP.NET account be hosting a TS session for an app (which doesn't make

>> > sense

>> > to me), or should I be concerned that someone set ASP.NET random

>> > password

>> > to

>> > something known and is using it as a TS backdoor?

>> >

>> > Has anyone ever seen ASP.NET logged into TS?

>>

>>

>> ASP.NET account shouldn't be logged in unless you're running a web server

>> on

>> that machine. Do you have any evidence that the account came in over TS?

>>

>> Your best bet would be to uninstall IIS.

>>

>> Rob

>>

>

> IIS isn't installed on this server. Thought it was required for the SQL

> Server & medical software they use, but I guess not.

>

> For evidence, as I said, TS Manager showed ASP.NET had been "disconnected"

> for ~17 hours, so some person/app obviously knew the password and

> connected.

>

> This is a new client and I'm wondering if the previous IT or possibly the

> medical software techs are using ASP.NET to remote in. I couldn't login

> to

> the ASP.NET connection because I don't know the password, so I just

> terminated the connection. Seems odd that someone would use it as a

> backdoor

> then disconnect instead of log off, so I'm just trying to confirm whether

> there's any reason for ASP.NET to login to TS on its own before I go

> through

> the trouble of resetting its password.

 

 

If you aren't using IIS, at a minimum disable the account. I would be

worried about the computer being hacked, if I were you.

 

Rob

 Share
Go to topic listing
×
×
  • Create New...