Solved

Dictionary Attack on Small Business Server 2003

Posted on 2007-12-04
8
743 Views
Last Modified: 2008-02-01
I an running a server with Microsoft Small Business Server 2003 and i am seeing multiple failed authentication attempts in the security log.  They all appear as:

Log: Security
Type: Failure Audit
Event: 529
Time: Dec  3 2007 12:02PM
Source: Security
Category: Logon/Logoff
Username: SYSTEM
Computer: ***Removed***
Description: Logon Failure:

        Reason:         Unknown user name or bad password
        User Name:      toyota
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       ***Removed***
        Caller User Name:       ***Removed***
        Caller Domain:  ***Removed***
        Caller Logon ID:        (0x0,0x3E7)
        Caller Process ID:      2904
        Transited Services:     -
        Source Network Address: -
        Source Port:    -

There is no Port or IP identified so I am not sure how to prevent future attacks or to identify the source of the current ones.  We do not currently have a hardware firewall (ex. sonicwall) and are relying on the built in SBS firewall.  We do not have an option to purchase additional hardware so what are our other options
0
Comment
Question by:desktopadv
8 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20406952
You wouldnt happen to have a user account toyota in AD would you? Runnig as a service somewhere or used as credentails to access a share?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20409360
The fact that you removed the workstation, user and domain names leads me to believe that this isn't a dictionary attack at all.  It's an internall issue... which is most likely caused by having a service running under a user account on the named workstation.

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20410952
Everywhere it says removed it just has the name of our server/domain.  I removed it for security reasons.  Also "toyota" was just one of the crazy names that were tried.  Others included hello, love, happy, etc...
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 21

Accepted Solution

by:
dan_blagut earned 500 total points
ID: 20412519
Hi
If you can afford an hardware firewall, then buy an LinkSys broadband router for 50e or eq. That will do the job for you and you get as bonus an VPN server. At the Windows side configure your account to lockout after 5 atempts for 5 minutes at least.
Like that is very improbable that your guy will find the good account /password pair. But after the installation of firewall I think this kind of attach will disapear.

Dan
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20416276
Well, it could be a virus then... see this newsgroup post for the troubleshooting steps:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/825da8d08bd651bf/b0c6cbceb5406038?hl=en&lnk=gst#b0c6cbceb5406038

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20459499
any other options that wouldn't include new hardware???
0
 

Author Comment

by:desktopadv
ID: 20459515
or is their a way in SBS to block ports above 1000+
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20462392
If you have two NICs you don't need additional hardware, but it couldn't hurt.  With two NICs you are already blocking all ports that aren't needed.  You can't just broadly block all ports above 1000, that wouldn't accomplish anything and would also cause communication problems.

Jeff
TechSoEasy
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ensuring effective and secure communication in the age of healthcare BYOD.
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now