When your server have symptom as below
a) a lots of log as below
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
b) IIS unable to start and receive the error result when list the applicaiton pool list
c) intermittent interuption to the IIS service
Your server might under RDP Brute force attack.
Because of RDP Brute force, the memory type known as “kernel unpaged pool” will be almost entirely full. There is a maximum of 256MB on a 32bit Windows installation. This will to continue to cause IIS and other network services to work intermittently and finally stop entirely.
So the solution is edit the RDP port other then the default 3389 so the attacker will not easily know your server port. Golden rules in IT security: DO NOT even use default port for all the service.
1) Start Registry Editor (Start > Run > type “regedit” > press Enter)
2) Locate and then click the following registry subkey:
3) On the Edit menu, click Modify, and then click Decimal.
4) Type the new port number, and then click OK.
5) Quit Registry Editor.
6) Restart the server.