Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SBS 2003 SP1 Security Alerts

Posted on 2006-07-24
10
Medium Priority
?
414 Views
Last Modified: 2010-04-19
Hi,

I notice that sometimes in my daily Server Performance Report I get different securtiy alerts such as:

---------------------------------------------------
 Security 529                        01/06/2006               05:08               32 *

Reason: Unknown user name or bad password
  User Name: btheroomyanasamo@9veloce512.fr
  Domain:  
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: AGNES
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 84.97.65.131
  Source Port: 0
---------------------------------------------------
-----------------------------------------------------

These vary each time, also I get this alert occasionaly:

---------------------------------------------------
Alert on QUAY at 09/06/2006 21:42:28

An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.

For more information about this event, see the event logs on the server computer.

You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
---------------------------------------------------
-----------------------------------------------------

I have run a "Sheilds Up" test (http://www.grc.com/x/ne.dll?rh1dkyd2) and I have open the relevant ports for RDC, VPN, SMTP, POP, 80, 443, 21, 135, 139, 389, 445, 1026, 1027

What I need to work is, RDC, RWW, VPN, SMTP and POP - dont think I need 21 or 80 open, please correct if I do.
Which of the over ports can I close up?

I have asked IT pros about this in the past but they say they are just scripts scratching at the SBS door - not to worry, but I will and would prefer a further opinion.
The server is behind a very expensive hardware firewall - I am running my SBS with one NIC as a result - there is not a 2nd NIC physically installed.

Would appreciate any advise on looking down my server.

Strangely I have another SBS server in a different location with a very very similar setup but does not suffer any security alerts!

Many thanks
Jack




0
Comment
Question by:JackHodson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 1400 total points
ID: 17169580
You should NOT have all those ports open.  The only ones needed for SBS are these:

25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace

I am assuming that these are being opened on a ROUTER and not in your server's RRAS.  After making these changes, you can rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) to ensure that everything is reset correctly.


Jeff
TechSpEasy
0
 
LVL 21

Assisted Solution

by:suppsaws
suppsaws earned 200 total points
ID: 17169608
Hi JackHodson,

here are the ports that 'need' to be open:
http://www.microsoft.com/technet/prodtechnol/sbs/2003/plan/gsg/appx_c.mspx

Cheers!
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 17169616
JackHodson,

ow looks like Jeff was first :)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 4

Author Comment

by:JackHodson
ID: 17170313
Thank you, i thought it may be wrong, I asked for it to be locked down except for what I needed SBS to do (provided a list of ports for them) Seems they havent followed thwe instructions, I will check with the company that provide the router, it does not belong to us, its a shared access router, we are given a public IP through it and a range of IPs that can access the internet i.e 10.37.37.1-10.

Jack
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17170626
I wouldn't have a network configured that way at all... if you are required to use this router, you should have them configure a DMZ for you to a second router that you can put in yourself and control.  So it would look like this using two NICs in your SBS:


Internet -----  Shared Access Router  ----- New Router  -----  SBS  -----  Switch ----- Lan Computers

Jeff
TechSoEasy
0
 
LVL 4

Author Comment

by:JackHodson
ID: 17170764
Not a bad idea that, I will enquire with this, Thanks
0
 
LVL 9

Assisted Solution

by:DanKoster
DanKoster earned 400 total points
ID: 17172667
135 and 139 are File and Print sharing ports, very bad to have open.  A lot of the attempts could have come from here, and you should be concerned that someone may have been successful.  If they were indeed open, in my opinion you really need to flatten and reinstall on that box.  Maybe the chances are low, but there is a chance you have a rootkit on that machine now that's doing who knows what for the viagra market among other potential problems.  

Port 21 is FTP, you don't want that (don't trust the IIS built in FTP if you did need an FTP server)

Port 80 is a typical web site.  You should leave your public websites on a third party server.  Port 443 is a secured web site, that's what you'll be wanting for RWW and OWA.
0
 
LVL 4

Author Comment

by:JackHodson
ID: 17174103
Iv got it all locked down now, god knows why it was so open - the shields up test is now just as it should be.

DanKoster - I know what you are saying about a re-install, right at this point I would like to avoide it because of downtime, I will keep a close eye on the situation.

Thanks
Jack
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 17174111
Jack,

You can also do some scanning yourself to see if the worst holes are closed with MBSA:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
LVL 4

Author Comment

by:JackHodson
ID: 17174225
Thanks, i just ran that tool, impressive data readout - it will help!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question