Windows Server 2008R2
Remote Desktop Server 2008R2
In the event viewer:
TermDD error
EventID 56
The General info box says:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: xxx.xxx.xxx.xxx.
My question is regarding the IP address. This error occurs a few times per day with different addresses. Some of the IP addresses that are listed are external IP routable addresses that are registered to owners in foreign countries. This business has only a few users with RDP permissions and their IP addresses should be registered to common US internet service providers.
What is the significance of these foreign IP addresses? Antivirus/rootkit scans are running clean. I have not found evidence of intrusion in the Sonicwall firewall. I'm stumped.
Thanks.
TimC in Oregon