?
Solved

Server 2003 Security

Posted on 2006-04-27
5
Medium Priority
?
310 Views
Last Modified: 2013-12-04
I have Windows 2003 server and I keep seeing bad logins from someone in the system log. I am the only one who uses this server as it is my own personal FTP and Remote Terminal server so I know I did not log on with bad credentials for 4 weeks in a row, not to mention again I got my own password for the Admin account wrong. What can I do to look up his IP address and possibly block him. Basicly what options are available to me. I remember when this first started I found the IP address in in the system log and I looked it up and found it was from the Philapenes so it does not look good. I need to just stop this fast and permenately.
0
Comment
Question by:productivetech
5 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16559034
You can block access to the FTP server from all IP's except the one you need (using the Windows Firewall)

I would also use a fairly long password (greater than 10 chars) to prevent guesing type attacks.

Download and run MBSA to see what patches you might need:

  http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 

Author Comment

by:productivetech
ID: 16561553
I had a good password more than 10 characters, numeric and letters. I did know I could block FTP access from all IP's except the one I needed but I like the idea I can access it from any where. I did not really want to go through a VPN but I am thinking now that a VPN would ensure that only I would be able to access it. I was thinking there would be a way to just block a IP after a number of failed log ins. That way worst case scenario if I block myself out I would have to unblock myself. That is the way I am thinking I want to go, but I think the only way to do that would be to put a smart hardware firewall in. Maybe a Cisco or something. Any ideas?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16562867
There are a number of cisco devices that can assist you with VPN, as well as other manufactures like LinkSys. A cisco device may be a little pricey depeding on your bandwidth requirements. The cisco 500 series are great firewalls, but I've used various LinkSys router/firewall's with equal success.

Ultimately the VPN solution for TS/RD'ing into the server are best, if not equal to allowing only a small number of ip's or ranges only access to ther server. Microsoft's firewall does not log IP's but uses the "netbios name" of the server if present. A linux host using RDesktop or TSClient will not have a name for windows to log, so there may be even less info in the log if it were a linux box doing this.

There are programs like TSGrinder that will try to brute-force the LocalAdmin account, as it cannot be locked out. However M$ does block that same "netbios named" pc from trying after 9 failed attempts. If there is no netbios name, M$'s terminalservice/remoteDesktop will not appear to be locked out and they can keep trying.
-rich
0
 

Author Comment

by:productivetech
ID: 16567004
"There are programs like TSGrinder that will try to brute-force the LocalAdmin account, as it cannot be locked out. However M$ does block that same "netbios named" pc from trying after 9 failed attempts. If there is no netbios name, M$'s terminalservice/remoteDesktop will not appear to be locked out and they can keep trying. "

well that sounds like my scenario. I have a firewall through a Netgear router but my firewall is fine for my needs. I am thinking maybe trying ISA and maybe a feature that will block failed attemps after a certain amount of time?

Maybe I should upgrade to SBS . . . I just want to flat out block an ip after a certain amount of failed attemps. Does ISA even do that? I will research more into ISA and proxy server but I am leery about going VPN. I hear how safe secure it is but I just want to be able to access my server via RDP from any location or even my FTP via IE without fuss. I have a strong password I guess I should just pretend who ever is trying to attack or break in stops . . . Just kidding
0
 
LVL 14

Accepted Solution

by:
canali earned 2000 total points
ID: 16570227

M$ has  a policy: Account lockout threshold
usually I configure
badPwdCount = 5
badPasswordTime = 30 min
so brute force attack can try 5 password every 30 minuts ...

You can find some usefull information:
http://technet2.microsoft.com/WindowsServer/en/Library/4639940c-74b3-46c8-b497-cdb7666f1e461033.mspx
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
OfficeMate Freezes on login or does not load after login credentials are input.
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question