• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 753
  • Last Modified:

Dictionary Attack on Small Business Server 2003

I an running a server with Microsoft Small Business Server 2003 and i am seeing multiple failed authentication attempts in the security log.  They all appear as:

Log: Security
Type: Failure Audit
Event: 529
Time: Dec  3 2007 12:02PM
Source: Security
Category: Logon/Logoff
Username: SYSTEM
Computer: ***Removed***
Description: Logon Failure:

        Reason:         Unknown user name or bad password
        User Name:      toyota
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       ***Removed***
        Caller User Name:       ***Removed***
        Caller Domain:  ***Removed***
        Caller Logon ID:        (0x0,0x3E7)
        Caller Process ID:      2904
        Transited Services:     -
        Source Network Address: -
        Source Port:    -

There is no Port or IP identified so I am not sure how to prevent future attacks or to identify the source of the current ones.  We do not currently have a hardware firewall (ex. sonicwall) and are relying on the built in SBS firewall.  We do not have an option to purchase additional hardware so what are our other options
0
desktopadv
Asked:
desktopadv
1 Solution
 
bhnmiCommented:
You wouldnt happen to have a user account toyota in AD would you? Runnig as a service somewhere or used as credentails to access a share?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The fact that you removed the workstation, user and domain names leads me to believe that this isn't a dictionary attack at all.  It's an internall issue... which is most likely caused by having a service running under a user account on the named workstation.

Jeff
TechSoEasy
0
 
desktopadvAuthor Commented:
Everywhere it says removed it just has the name of our server/domain.  I removed it for security reasons.  Also "toyota" was just one of the crazy names that were tried.  Others included hello, love, happy, etc...
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
dan_blagutCommented:
Hi
If you can afford an hardware firewall, then buy an LinkSys broadband router for 50e or eq. That will do the job for you and you get as bonus an VPN server. At the Windows side configure your account to lockout after 5 atempts for 5 minutes at least.
Like that is very improbable that your guy will find the good account /password pair. But after the installation of firewall I think this kind of attach will disapear.

Dan
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, it could be a virus then... see this newsgroup post for the troubleshooting steps:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/825da8d08bd651bf/b0c6cbceb5406038?hl=en&lnk=gst#b0c6cbceb5406038

Jeff
TechSoEasy
0
 
desktopadvAuthor Commented:
any other options that wouldn't include new hardware???
0
 
desktopadvAuthor Commented:
or is their a way in SBS to block ports above 1000+
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If you have two NICs you don't need additional hardware, but it couldn't hurt.  With two NICs you are already blocking all ports that aren't needed.  You can't just broadly block all ports above 1000, that wouldn't accomplish anything and would also cause communication problems.

Jeff
TechSoEasy
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now