• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

Server 2003 Security

I have Windows 2003 server and I keep seeing bad logins from someone in the system log. I am the only one who uses this server as it is my own personal FTP and Remote Terminal server so I know I did not log on with bad credentials for 4 weeks in a row, not to mention again I got my own password for the Admin account wrong. What can I do to look up his IP address and possibly block him. Basicly what options are available to me. I remember when this first started I found the IP address in in the system log and I looked it up and found it was from the Philapenes so it does not look good. I need to just stop this fast and permenately.
0
productivetech
Asked:
productivetech
1 Solution
 
r-kCommented:
You can block access to the FTP server from all IP's except the one you need (using the Windows Firewall)

I would also use a fairly long password (greater than 10 chars) to prevent guesing type attacks.

Download and run MBSA to see what patches you might need:

  http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
productivetechAuthor Commented:
I had a good password more than 10 characters, numeric and letters. I did know I could block FTP access from all IP's except the one I needed but I like the idea I can access it from any where. I did not really want to go through a VPN but I am thinking now that a VPN would ensure that only I would be able to access it. I was thinking there would be a way to just block a IP after a number of failed log ins. That way worst case scenario if I block myself out I would have to unblock myself. That is the way I am thinking I want to go, but I think the only way to do that would be to put a smart hardware firewall in. Maybe a Cisco or something. Any ideas?
0
 
Rich RumbleSecurity SamuraiCommented:
There are a number of cisco devices that can assist you with VPN, as well as other manufactures like LinkSys. A cisco device may be a little pricey depeding on your bandwidth requirements. The cisco 500 series are great firewalls, but I've used various LinkSys router/firewall's with equal success.

Ultimately the VPN solution for TS/RD'ing into the server are best, if not equal to allowing only a small number of ip's or ranges only access to ther server. Microsoft's firewall does not log IP's but uses the "netbios name" of the server if present. A linux host using RDesktop or TSClient will not have a name for windows to log, so there may be even less info in the log if it were a linux box doing this.

There are programs like TSGrinder that will try to brute-force the LocalAdmin account, as it cannot be locked out. However M$ does block that same "netbios named" pc from trying after 9 failed attempts. If there is no netbios name, M$'s terminalservice/remoteDesktop will not appear to be locked out and they can keep trying.
-rich
0
 
productivetechAuthor Commented:
"There are programs like TSGrinder that will try to brute-force the LocalAdmin account, as it cannot be locked out. However M$ does block that same "netbios named" pc from trying after 9 failed attempts. If there is no netbios name, M$'s terminalservice/remoteDesktop will not appear to be locked out and they can keep trying. "

well that sounds like my scenario. I have a firewall through a Netgear router but my firewall is fine for my needs. I am thinking maybe trying ISA and maybe a feature that will block failed attemps after a certain amount of time?

Maybe I should upgrade to SBS . . . I just want to flat out block an ip after a certain amount of failed attemps. Does ISA even do that? I will research more into ISA and proxy server but I am leery about going VPN. I hear how safe secure it is but I just want to be able to access my server via RDP from any location or even my FTP via IE without fuss. I have a strong password I guess I should just pretend who ever is trying to attack or break in stops . . . Just kidding
0
 
canaliCommented:

M$ has  a policy: Account lockout threshold
usually I configure
badPwdCount = 5
badPasswordTime = 30 min
so brute force attack can try 5 password every 30 minuts ...

You can find some usefull information:
http://technet2.microsoft.com/WindowsServer/en/Library/4639940c-74b3-46c8-b497-cdb7666f1e461033.mspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now