Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2737
  • Last Modified:

SBS 2003 R2 - Event 529 - Failed Login attempts from external IP

Hi,

Running Windows SBS 2003 R2 with RWW and OWA enabled through relevant Port Forwards on our external Hardware Firewall.

Last night came across the following Event ID entries, with 35 entries logged under Event ID 529:-

"Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      administrator
       Domain:      OURDOMAIN
       Logon Type:      10
       Logon Process:      User32
       Authentication Package:      Negotiate
       Workstation Name:      OURSERVER
       Caller User Name:      OURSERVER$
       Caller Domain:      OURDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      7172
       Transited Services:      -
       Source Network Address:      62.103.68.179
       Source Port:      11791"

Whilst I'm familiar with Event 529 errors, this is the first I've come across from an external IP address.

The address seems to nslookup to a host in Germany, definitely not one of our workers then!

I'm unfamiliar with Source Port 11791 though.

Two questions:-

1. Is this an unauthorised user trying to login via Remote Web Workplace?
2. If so - is there anything I can do to harden up the security to prevent hack attempts like this in future?

Any suggestions appreciated.

Regards,

Richard Tubb.
0
netlinkrtubb
Asked:
netlinkrtubb
  • 5
2 Solutions
 
MarkMichaelCommented:
quote from http://www.windowsecurity.com/articles/Logon-Types.html

When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesnt use logon type 10 and terminal services logons are reported as logon type 2.

Hope this helps.
0
 
netlinkrtubbAuthor Commented:
Thanks Mark.

Neglected to mention that I'd read that same article just before posting - but thanks for posting it anyway. :-)

Presumably this logon attempt is somebody either attempting to access the SBS 2003 server directly by TS (Port 3389 is forwarded on our Firewall) - or by logging in through RWW then?

Regards,

Richard Tubb.
0
 
netlinkrtubbAuthor Commented:
Had another spate of login attempts overnight, this time from a different IP address using common logon names such as "user", "administrator", "swpupd", "besadmin", etc.

My question is - how can I harden off RWW to prevent against these attempts (or should I just accept them as a matter of fact) - and is there any way to block future attempts from the unauthorised IP addresses that are attempting to access RWW?

Regards,

Richard Tubb.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
netlinkrtubbAuthor Commented:
Once again, another spate of logon attempts from the same IP address.

I've taken the step of going into IIS Manager on SBS 2003, and adding the IP address in question to the list of "Denied" addresses for RWW.

Can anybody suggest whether this would be the best course of action?

Regards,

Richard Tubb.
0
 
netlinkrtubbAuthor Commented:
Another spate of attacks today, from a new IP address, probing the usernames "admin" and "Administrator".

I've subsequently added that IP address to the Denied addresses for the RWW Virtual Web-Site in IIS Manager, but am curious to find out whether there is a more pro-active way of stopping these types of attacks.

Regards,

Richard Tubb.
0
 
SyscomDTCommented:
I've been dealing with similar login attempts on some SBS 2003 Servers with Login Type 3, which can come from the RWW initial login screen, or from SMTP attack.  I've been refered to RWW-Guard from Scorpion Software, which adds two factor authentication to RWW: http://www.scorpionsoft.com/products/rww-guard/index.html
Another option is Auth-Anvil from the same company: http://www.scorpionsoft.com/products/authanvil/index.html

I was hoping to find a solution to block login after multiple failed attempts, but have not discovered a solution as of yet.
-Scott
Syscom Digital Technologies, LLC.
0
 
netlinkrtubbAuthor Commented:
Thanks for the posts all.

The unauthorised login attempts (Type 10) I was encountering were as a result of Port 3389 (Terminal Services) being un-necessarily open. Now I've closed off this port, the login attempts have dropped substantially.

Going forwards, Scott's suggestion of two factor authentication for RWW is a good one - Auth-Anvil has some high recommendations from what I've read.

After a couple of months of observation, I'm seeing very few Login Type 3 attempts now - so it would seem locking down Port 3389 and a strong password policy are the best first steps to take if you're experiencing this same issue.

Regards,

Richard Tubb.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now