Jack
asked on
SBS 2003 SP1 Security Alerts
Hi,
I notice that sometimes in my daily Server Performance Report I get different securtiy alerts such as:
-------------------------- ---------- ---------- -----
Security 529 01/06/2006 05:08 32 *
Reason: Unknown user name or bad password
User Name: btheroomyanasamo@9veloce51 2.fr
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: AGNES
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 84.97.65.131
Source Port: 0
-------------------------- ---------- ---------- -----
-------------------------- ---------- ---------- -------
These vary each time, also I get this alert occasionaly:
-------------------------- ---------- ---------- -----
Alert on QUAY at 09/06/2006 21:42:28
An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.
For more information about this event, see the event logs on the server computer.
You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
-------------------------- ---------- ---------- -----
-------------------------- ---------- ---------- -------
I have run a "Sheilds Up" test (http://www.grc.com/x/ne.dll?rh1dkyd2) and I have open the relevant ports for RDC, VPN, SMTP, POP, 80, 443, 21, 135, 139, 389, 445, 1026, 1027
What I need to work is, RDC, RWW, VPN, SMTP and POP - dont think I need 21 or 80 open, please correct if I do.
Which of the over ports can I close up?
I have asked IT pros about this in the past but they say they are just scripts scratching at the SBS door - not to worry, but I will and would prefer a further opinion.
The server is behind a very expensive hardware firewall - I am running my SBS with one NIC as a result - there is not a 2nd NIC physically installed.
Would appreciate any advise on looking down my server.
Strangely I have another SBS server in a different location with a very very similar setup but does not suffer any security alerts!
Many thanks
Jack
I notice that sometimes in my daily Server Performance Report I get different securtiy alerts such as:
--------------------------
Security 529 01/06/2006 05:08 32 *
Reason: Unknown user name or bad password
User Name: btheroomyanasamo@9veloce51
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: AGNES
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 84.97.65.131
Source Port: 0
--------------------------
--------------------------
These vary each time, also I get this alert occasionaly:
--------------------------
Alert on QUAY at 09/06/2006 21:42:28
An account was locked out due to multiple failed logon attempts that occurred in a short period of time. This may occur if an unauthorized user attempts to gain access to the network.
For more information about this event, see the event logs on the server computer.
You can disable this alert by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
--------------------------
--------------------------
I have run a "Sheilds Up" test (http://www.grc.com/x/ne.dll?rh1dkyd2) and I have open the relevant ports for RDC, VPN, SMTP, POP, 80, 443, 21, 135, 139, 389, 445, 1026, 1027
What I need to work is, RDC, RWW, VPN, SMTP and POP - dont think I need 21 or 80 open, please correct if I do.
Which of the over ports can I close up?
I have asked IT pros about this in the past but they say they are just scripts scratching at the SBS door - not to worry, but I will and would prefer a further opinion.
The server is behind a very expensive hardware firewall - I am running my SBS with one NIC as a result - there is not a 2nd NIC physically installed.
Would appreciate any advise on looking down my server.
Strangely I have another SBS server in a different location with a very very similar setup but does not suffer any security alerts!
Many thanks
Jack
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, i thought it may be wrong, I asked for it to be locked down except for what I needed SBS to do (provided a list of ports for them) Seems they havent followed thwe instructions, I will check with the company that provide the router, it does not belong to us, its a shared access router, we are given a public IP through it and a range of IPs that can access the internet i.e 10.37.37.1-10.
Jack
Jack
I wouldn't have a network configured that way at all... if you are required to use this router, you should have them configure a DMZ for you to a second router that you can put in yourself and control. So it would look like this using two NICs in your SBS:
Internet ----- Shared Access Router ----- New Router ----- SBS ----- Switch ----- Lan Computers
Jeff
TechSoEasy
Internet ----- Shared Access Router ----- New Router ----- SBS ----- Switch ----- Lan Computers
Jeff
TechSoEasy
ASKER
Not a bad idea that, I will enquire with this, Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Iv got it all locked down now, god knows why it was so open - the shields up test is now just as it should be.
DanKoster - I know what you are saying about a re-install, right at this point I would like to avoide it because of downtime, I will keep a close eye on the situation.
Thanks
Jack
DanKoster - I know what you are saying about a re-install, right at this point I would like to avoide it because of downtime, I will keep a close eye on the situation.
Thanks
Jack
Jack,
You can also do some scanning yourself to see if the worst holes are closed with MBSA:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
You can also do some scanning yourself to see if the worst holes are closed with MBSA:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
ASKER
Thanks, i just ran that tool, impressive data readout - it will help!
ow looks like Jeff was first :)