Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Dictionary Attack on Small Business Server 2003

Posted on 2007-12-04
8
744 Views
Last Modified: 2008-02-01
I an running a server with Microsoft Small Business Server 2003 and i am seeing multiple failed authentication attempts in the security log.  They all appear as:

Log: Security
Type: Failure Audit
Event: 529
Time: Dec  3 2007 12:02PM
Source: Security
Category: Logon/Logoff
Username: SYSTEM
Computer: ***Removed***
Description: Logon Failure:

        Reason:         Unknown user name or bad password
        User Name:      toyota
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       ***Removed***
        Caller User Name:       ***Removed***
        Caller Domain:  ***Removed***
        Caller Logon ID:        (0x0,0x3E7)
        Caller Process ID:      2904
        Transited Services:     -
        Source Network Address: -
        Source Port:    -

There is no Port or IP identified so I am not sure how to prevent future attacks or to identify the source of the current ones.  We do not currently have a hardware firewall (ex. sonicwall) and are relying on the built in SBS firewall.  We do not have an option to purchase additional hardware so what are our other options
0
Comment
Question by:desktopadv
8 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20406952
You wouldnt happen to have a user account toyota in AD would you? Runnig as a service somewhere or used as credentails to access a share?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20409360
The fact that you removed the workstation, user and domain names leads me to believe that this isn't a dictionary attack at all.  It's an internall issue... which is most likely caused by having a service running under a user account on the named workstation.

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20410952
Everywhere it says removed it just has the name of our server/domain.  I removed it for security reasons.  Also "toyota" was just one of the crazy names that were tried.  Others included hello, love, happy, etc...
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 21

Accepted Solution

by:
dan_blagut earned 500 total points
ID: 20412519
Hi
If you can afford an hardware firewall, then buy an LinkSys broadband router for 50e or eq. That will do the job for you and you get as bonus an VPN server. At the Windows side configure your account to lockout after 5 atempts for 5 minutes at least.
Like that is very improbable that your guy will find the good account /password pair. But after the installation of firewall I think this kind of attach will disapear.

Dan
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20416276
Well, it could be a virus then... see this newsgroup post for the troubleshooting steps:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/825da8d08bd651bf/b0c6cbceb5406038?hl=en&lnk=gst#b0c6cbceb5406038

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20459499
any other options that wouldn't include new hardware???
0
 

Author Comment

by:desktopadv
ID: 20459515
or is their a way in SBS to block ports above 1000+
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20462392
If you have two NICs you don't need additional hardware, but it couldn't hurt.  With two NICs you are already blocking all ports that aren't needed.  You can't just broadly block all ports above 1000, that wouldn't accomplish anything and would also cause communication problems.

Jeff
TechSoEasy
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
User Level Security 6 46
Giving user local admin via workstation security properties on SBS 2008 3 41
User account lockout - Server 2012R2 7 43
Using GMail for Scanning 5 26
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question