Guest Bennett Posted September 15, 2008 Posted September 15, 2008 I just checking a client's TS sessions, and saw the ASP.NET account had logged in over the weekend and had been disconnected for 17 hours. I know ASP.NET is a worker process, but why would it be logged in to TS? Would the ASP.NET account be hosting a TS session for an app (which doesn't make sense to me), or should I be concerned that someone set ASP.NET random password to something known and is using it as a TS backdoor? Has anyone ever seen ASP.NET logged into TS?
Guest Rob Leitman [MSFT] Posted September 15, 2008 Posted September 15, 2008 Re: ASP.NET logged in TS? "Bennett" <Bennett@discussions.microsoft.com> wrote in message news:80D51C25-D7AF-4350-94A9-16A81617C1BC@microsoft.com... >I just checking a client's TS sessions, and saw the ASP.NET account had > logged in over the weekend and had been disconnected for 17 hours. I know > ASP.NET is a worker process, but why would it be logged in to TS? Would > the > ASP.NET account be hosting a TS session for an app (which doesn't make > sense > to me), or should I be concerned that someone set ASP.NET random password > to > something known and is using it as a TS backdoor? > > Has anyone ever seen ASP.NET logged into TS? ASP.NET account shouldn't be logged in unless you're running a web server on that machine. Do you have any evidence that the account came in over TS? Your best bet would be to uninstall IIS. Rob
Guest Bennett Posted September 16, 2008 Posted September 16, 2008 Re: ASP.NET logged in TS? "Rob Leitman [MSFT]" wrote: > "Bennett" <Bennett@discussions.microsoft.com> wrote in message > news:80D51C25-D7AF-4350-94A9-16A81617C1BC@microsoft.com... > >I just checking a client's TS sessions, and saw the ASP.NET account had > > logged in over the weekend and had been disconnected for 17 hours. I know > > ASP.NET is a worker process, but why would it be logged in to TS? Would > > the > > ASP.NET account be hosting a TS session for an app (which doesn't make > > sense > > to me), or should I be concerned that someone set ASP.NET random password > > to > > something known and is using it as a TS backdoor? > > > > Has anyone ever seen ASP.NET logged into TS? > > > ASP.NET account shouldn't be logged in unless you're running a web server on > that machine. Do you have any evidence that the account came in over TS? > > Your best bet would be to uninstall IIS. > > Rob > IIS isn't installed on this server. Thought it was required for the SQL Server & medical software they use, but I guess not. For evidence, as I said, TS Manager showed ASP.NET had been "disconnected" for ~17 hours, so some person/app obviously knew the password and connected. This is a new client and I'm wondering if the previous IT or possibly the medical software techs are using ASP.NET to remote in. I couldn't login to the ASP.NET connection because I don't know the password, so I just terminated the connection. Seems odd that someone would use it as a backdoor then disconnect instead of log off, so I'm just trying to confirm whether there's any reason for ASP.NET to login to TS on its own before I go through the trouble of resetting its password.
Guest Rob Leitman [MSFT] Posted September 16, 2008 Posted September 16, 2008 Re: ASP.NET logged in TS? "Bennett" <Bennett@discussions.microsoft.com> wrote in message news:29BF36CA-D5F5-4F32-9887-F2DD00ABE339@microsoft.com... > "Rob Leitman [MSFT]" wrote: > >> "Bennett" <Bennett@discussions.microsoft.com> wrote in message >> news:80D51C25-D7AF-4350-94A9-16A81617C1BC@microsoft.com... >> >I just checking a client's TS sessions, and saw the ASP.NET account had >> > logged in over the weekend and had been disconnected for 17 hours. I >> > know >> > ASP.NET is a worker process, but why would it be logged in to TS? >> > Would >> > the >> > ASP.NET account be hosting a TS session for an app (which doesn't make >> > sense >> > to me), or should I be concerned that someone set ASP.NET random >> > password >> > to >> > something known and is using it as a TS backdoor? >> > >> > Has anyone ever seen ASP.NET logged into TS? >> >> >> ASP.NET account shouldn't be logged in unless you're running a web server >> on >> that machine. Do you have any evidence that the account came in over TS? >> >> Your best bet would be to uninstall IIS. >> >> Rob >> > > IIS isn't installed on this server. Thought it was required for the SQL > Server & medical software they use, but I guess not. > > For evidence, as I said, TS Manager showed ASP.NET had been "disconnected" > for ~17 hours, so some person/app obviously knew the password and > connected. > > This is a new client and I'm wondering if the previous IT or possibly the > medical software techs are using ASP.NET to remote in. I couldn't login > to > the ASP.NET connection because I don't know the password, so I just > terminated the connection. Seems odd that someone would use it as a > backdoor > then disconnect instead of log off, so I'm just trying to confirm whether > there's any reason for ASP.NET to login to TS on its own before I go > through > the trouble of resetting its password. If you aren't using IIS, at a minimum disable the account. I would be worried about the computer being hacked, if I were you. Rob
Recommended Posts