?
Solved

Dictionary Attack on Small Business Server 2003

Posted on 2007-12-04
8
Medium Priority
?
751 Views
Last Modified: 2008-02-01
I an running a server with Microsoft Small Business Server 2003 and i am seeing multiple failed authentication attempts in the security log.  They all appear as:

Log: Security
Type: Failure Audit
Event: 529
Time: Dec  3 2007 12:02PM
Source: Security
Category: Logon/Logoff
Username: SYSTEM
Computer: ***Removed***
Description: Logon Failure:

        Reason:         Unknown user name or bad password
        User Name:      toyota
        Domain:        
        Logon Type:     3
        Logon Process:  Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       ***Removed***
        Caller User Name:       ***Removed***
        Caller Domain:  ***Removed***
        Caller Logon ID:        (0x0,0x3E7)
        Caller Process ID:      2904
        Transited Services:     -
        Source Network Address: -
        Source Port:    -

There is no Port or IP identified so I am not sure how to prevent future attacks or to identify the source of the current ones.  We do not currently have a hardware firewall (ex. sonicwall) and are relying on the built in SBS firewall.  We do not have an option to purchase additional hardware so what are our other options
0
Comment
Question by:desktopadv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20406952
You wouldnt happen to have a user account toyota in AD would you? Runnig as a service somewhere or used as credentails to access a share?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20409360
The fact that you removed the workstation, user and domain names leads me to believe that this isn't a dictionary attack at all.  It's an internall issue... which is most likely caused by having a service running under a user account on the named workstation.

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20410952
Everywhere it says removed it just has the name of our server/domain.  I removed it for security reasons.  Also "toyota" was just one of the crazy names that were tried.  Others included hello, love, happy, etc...
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 22

Accepted Solution

by:
dan_blagut earned 1500 total points
ID: 20412519
Hi
If you can afford an hardware firewall, then buy an LinkSys broadband router for 50e or eq. That will do the job for you and you get as bonus an VPN server. At the Windows side configure your account to lockout after 5 atempts for 5 minutes at least.
Like that is very improbable that your guy will find the good account /password pair. But after the installation of firewall I think this kind of attach will disapear.

Dan
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20416276
Well, it could be a virus then... see this newsgroup post for the troubleshooting steps:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/825da8d08bd651bf/b0c6cbceb5406038?hl=en&lnk=gst#b0c6cbceb5406038

Jeff
TechSoEasy
0
 

Author Comment

by:desktopadv
ID: 20459499
any other options that wouldn't include new hardware???
0
 

Author Comment

by:desktopadv
ID: 20459515
or is their a way in SBS to block ports above 1000+
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20462392
If you have two NICs you don't need additional hardware, but it couldn't hurt.  With two NICs you are already blocking all ports that aren't needed.  You can't just broadly block all ports above 1000, that wouldn't accomplish anything and would also cause communication problems.

Jeff
TechSoEasy
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question