Lately, i’ve seen many event id 56 on our remote server.
it says ‘The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: 188.8.131.52.’
Most of the client IPs belong to our users. Many of them are from countries like Russian and Germany.
I look up for ‘184.108.40.206’ and it is from Russia. I have enabled port forwarding on our remote server so it is no longer 3389.
i wonder if this is just port scanning that h a c k e r s do or our server has been compromised ? any help is appreciated. TIA