dankyle67
asked on
event id 2012 possible network intrusion
Hi,
just recently we I have been noticing on our servers, one of our users logging in through remote desktop but the machine name they are using is not on our network at all. Cannot ping the pc name either. Looked at system event log and noticed numerous event id 2012 occurrences at around 2am and it says remote access attempt has been denied due to maximum number of sessions exceeded. The server they are trying to access is set to administrative mode for remote access so limit is 2 concurrent users and that is probably only reason the rogue user could not gain access to network. Is there a way to identify what ip address this pc is on a windows 2003 network/server? We have a barracuda web filter but currently had to disconnect it from network since it was causing issues but would this be a good way to identify or block external ip attempts on network? thanks.
just recently we I have been noticing on our servers, one of our users logging in through remote desktop but the machine name they are using is not on our network at all. Cannot ping the pc name either. Looked at system event log and noticed numerous event id 2012 occurrences at around 2am and it says remote access attempt has been denied due to maximum number of sessions exceeded. The server they are trying to access is set to administrative mode for remote access so limit is 2 concurrent users and that is probably only reason the rogue user could not gain access to network. Is there a way to identify what ip address this pc is on a windows 2003 network/server? We have a barracuda web filter but currently had to disconnect it from network since it was causing issues but would this be a good way to identify or block external ip attempts on network? thanks.
ASKER
Yes you are correct that we opened up 3389 for external access since we have remote users from different parts using different public ips so we can't block them or they won't have access to network. What you suggested sounds like a good idea. So by changing 3389 to private port, it will not be visible to public that this port is available correct? I have to make the change in the netscreen 5gt we have for the port forwarding as you suggested. So the barracuda web filter is not a good option at this point you think?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you are behind a firewall you will be able to identify source through it's logs
i think you have opend 3389 port for external. change port forwarding rule settings. do not set 3389 for public port because people will see you have published RDP. change it to another port number & set private port as 3389. then any traffic comes to public port you have set will go to 3389
use your hostname:public port number in rdp connection to connect to server