Securing MS Server 2003 against unauthorized login attempts/attack

Hi!
I would like to ask, what I can do against people who try to log in to our server (MS Server 2003) and they do not have the permission - we have many times in our logs messages like this (with many different account names - in the bellow example is 'php', but there are many others, as 'info', 'student', 'admin', etc...):

**********************************
The server was unable to logon the Windows NT account 'php' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********************************

it is happens quite often and every second there are several attempts (there are thousands of queries) and I am afraid it takes too much time of our server work...

can it be avoided? how?

thanks!

Peter
pplanAsked:
Who is Participating?
 
r-kConnect With a Mentor Commented:
The most important thing you can do is to implement an account lockout policy, i.e. if the wrong password is guessed N times in a row, then the account is locked out for M minutes. make N=10 and M=10, and you will foil just about any password guessing attack.
For how to implement this, see e.g.: http://www.visualwin.com/Log-in/lockout-durations.html
I typically set all three values to 10.
There is one exception, the Administrator account cannot be locked out, but if you set a relatively long (say 10 chars or more) password that is not a simple name, phrase or word, you will pretty much assure that no one can guess it for a very long time.
When you check the event logs, the logon type tells you what type of logon was attempted. A type of 8 indicates someone trying to connect to the FTP server.

The above is only one part of the solution. The others include: Firewall, Security patches, disabling unnecessary services, regular monitoring, etc.

I also recommend running a scan on your server with  MBSA:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and following as many suggestions as reasonable.
0
 
tlbrittainCommented:
A good start is to shut down an unnecessary services - this will close ports that are not needed for operation of the server.
0
 
arunexpCommented:
Is FTP enable for this server if it is not ftp access then could be some attack. if you are not using ftp stop the ftp from the server and stop all unused services
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
tlbrittainCommented:
0
 
pplanAuthor Commented:
thanks for your advices - it is certainly attack on our server

We can not stop FTP, as we need this service running on our server

my idea was for example how to limit number of unsuccessful attempts to login to our server from one IP address  - let's say after one IP address makes 3 unsuccessful attempts to login, then this IP address will have to wait for 30 minutes till next time it can try again to log in

is this possible in MS Server 2003 ? or any other idea?

thanks!

Peter
0
 
cshepfamCommented:
For what you're asking, I have to use third party software for that.  You said you need FTP so I suggest getting software to meet the needs your request.


Titan FTP Server is a great selection.  With that, if someone tries to hack in, you can set the number of times they can try.  Afterwards, it will ban that IP address automatically and email you to let you know.  It will log the IP, date, time, and what username/password they attempted to use.


I don't believe Windows has that option.  You will just have to check the Security Events for successful and failure logins.
0
 
tlbrittainCommented:
That is not possible, have you thought about implementing a firewall?  Also there is a program called Intruder Alert (I believe it is now known as site protector) it will let you know based off the rules you set of unsuccesful attempts and a plethora of other options including what action to take but blocking an IP for a set amount of time is not one.
0
 
tlbrittainCommented:
just curious what's the cost of Titan FTP?
0
 
pplanAuthor Commented:
I will try the FTP program, but it is not attack on FTP - it is attack to log in to our server as admin, I am afraid to get some privileges etc...

we have TINY Firewall, but I do not know how to prevent such actions using Tiny firewall...
(how to prevent unauthorized attempts to login)

0
 
tlbrittainCommented:
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
 
pplanAuthor Commented:
unfortunately we do not use static IP addresses for our computers, which we use to log into our server, that's why it would be problematic to set static IP address on the firewall to grant the access privilege only to certain IPs...
0
 
tlbrittainCommented:
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
 
tlbrittainCommented:
sorry about the double post there...now your IPs are going to change but I'm pretty sure not the whole address, say just the last 2 octets change...

e.g. - 10.10.x.x
0
 
tlbrittainCommented:
It is possible to allow specific IP ranges but not sure how your firewall works.
0
 
pplanAuthor Commented:
it might be good idea! I will try it and let you know, thanks! it might take me few hours, may be the weekend, as I have to find out how to do it in Tiny firewall...
0
 
arunexpCommented:
Or you can put a rule on your router to allow ftp access only from LAN
0
 
cshepfamCommented:
here's the prices for Titan FTP Server

http://www.btsoftware.com/products/titan.htm
0
 
r-kCommented:
Thanks. The following web page has a description of the various logon type codes:
http://www.windowsecurity.com/articles/Logon-Types.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.