netlinkrtubb
asked on
SBS 2003 R2 - Event 529 - Failed Login attempts from external IP
Hi,
Running Windows SBS 2003 R2 with RWW and OWA enabled through relevant Port Forwards on our external Hardware Firewall.
Last night came across the following Event ID entries, with 35 entries logged under Event ID 529:-
"Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: OURDOMAIN
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: OURSERVER
Caller User Name: OURSERVER$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7172
Transited Services: -
Source Network Address: 62.103.68.179
Source Port: 11791"
Whilst I'm familiar with Event 529 errors, this is the first I've come across from an external IP address.
The address seems to nslookup to a host in Germany, definitely not one of our workers then!
I'm unfamiliar with Source Port 11791 though.
Two questions:-
1. Is this an unauthorised user trying to login via Remote Web Workplace?
2. If so - is there anything I can do to harden up the security to prevent hack attempts like this in future?
Any suggestions appreciated.
Regards,
Richard Tubb.
Running Windows SBS 2003 R2 with RWW and OWA enabled through relevant Port Forwards on our external Hardware Firewall.
Last night came across the following Event ID entries, with 35 entries logged under Event ID 529:-
"Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: OURDOMAIN
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: OURSERVER
Caller User Name: OURSERVER$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 7172
Transited Services: -
Source Network Address: 62.103.68.179
Source Port: 11791"
Whilst I'm familiar with Event 529 errors, this is the first I've come across from an external IP address.
The address seems to nslookup to a host in Germany, definitely not one of our workers then!
I'm unfamiliar with Source Port 11791 though.
Two questions:-
1. Is this an unauthorised user trying to login via Remote Web Workplace?
2. If so - is there anything I can do to harden up the security to prevent hack attempts like this in future?
Any suggestions appreciated.
Regards,
Richard Tubb.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Had another spate of login attempts overnight, this time from a different IP address using common logon names such as "user", "administrator", "swpupd", "besadmin", etc.
My question is - how can I harden off RWW to prevent against these attempts (or should I just accept them as a matter of fact) - and is there any way to block future attempts from the unauthorised IP addresses that are attempting to access RWW?
Regards,
Richard Tubb.
My question is - how can I harden off RWW to prevent against these attempts (or should I just accept them as a matter of fact) - and is there any way to block future attempts from the unauthorised IP addresses that are attempting to access RWW?
Regards,
Richard Tubb.
ASKER
Once again, another spate of logon attempts from the same IP address.
I've taken the step of going into IIS Manager on SBS 2003, and adding the IP address in question to the list of "Denied" addresses for RWW.
Can anybody suggest whether this would be the best course of action?
Regards,
Richard Tubb.
I've taken the step of going into IIS Manager on SBS 2003, and adding the IP address in question to the list of "Denied" addresses for RWW.
Can anybody suggest whether this would be the best course of action?
Regards,
Richard Tubb.
ASKER
Another spate of attacks today, from a new IP address, probing the usernames "admin" and "Administrator".
I've subsequently added that IP address to the Denied addresses for the RWW Virtual Web-Site in IIS Manager, but am curious to find out whether there is a more pro-active way of stopping these types of attacks.
Regards,
Richard Tubb.
I've subsequently added that IP address to the Denied addresses for the RWW Virtual Web-Site in IIS Manager, but am curious to find out whether there is a more pro-active way of stopping these types of attacks.
Regards,
Richard Tubb.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the posts all.
The unauthorised login attempts (Type 10) I was encountering were as a result of Port 3389 (Terminal Services) being un-necessarily open. Now I've closed off this port, the login attempts have dropped substantially.
Going forwards, Scott's suggestion of two factor authentication for RWW is a good one - Auth-Anvil has some high recommendations from what I've read.
After a couple of months of observation, I'm seeing very few Login Type 3 attempts now - so it would seem locking down Port 3389 and a strong password policy are the best first steps to take if you're experiencing this same issue.
Regards,
Richard Tubb.
The unauthorised login attempts (Type 10) I was encountering were as a result of Port 3389 (Terminal Services) being un-necessarily open. Now I've closed off this port, the login attempts have dropped substantially.
Going forwards, Scott's suggestion of two factor authentication for RWW is a good one - Auth-Anvil has some high recommendations from what I've read.
After a couple of months of observation, I'm seeing very few Login Type 3 attempts now - so it would seem locking down Port 3389 and a strong password policy are the best first steps to take if you're experiencing this same issue.
Regards,
Richard Tubb.
ASKER
Neglected to mention that I'd read that same article just before posting - but thanks for posting it anyway. :-)
Presumably this logon attempt is somebody either attempting to access the SBS 2003 server directly by TS (Port 3389 is forwarded on our Firewall) - or by logging in through RWW then?
Regards,
Richard Tubb.