72chevy4x4
asked on
built in feature to secure remote logon attempts
I've had multiple logon failures on the daily reports almost daily for a couple of weeks and would like to lock down my sbs 2003 server without buying any new software (in a small non-business environment)? With a new cable modem/router, I can't get remote access to the server from outside the network-probably a router problem. ISA is not installed and IIS is running as well as Exchange2003.
In trying to understand the attached code-is logon type 3 coming from the website? I don't really know where to begin in figuring out where the attempt is coming from (i.e. a perp visiting https://server.myservername.com/remote and entering user/pass combo's). My guess is they're either trying to get in via OWA or the server's remote access (sorry, forgot the abrev.).
where are the attempts (attacks) coming from and how to secure the server? I do NOT have ISA installed as everytime I've tried in the past it, I was unable to get it to operate properly.
In trying to understand the attached code-is logon type 3 coming from the website? I don't really know where to begin in figuring out where the attempt is coming from (i.e. a perp visiting https://server.myservername.com/remote and entering user/pass combo's). My guess is they're either trying to get in via OWA or the server's remote access (sorry, forgot the abrev.).
where are the attempts (attacks) coming from and how to secure the server? I do NOT have ISA installed as everytime I've tried in the past it, I was unable to get it to operate properly.
Logon Failure:
Reason: Unknown user name or bad password
User Name: 5201314
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: MYSERVERNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1648
Transited Services: -
Source Network Address: -
Source Port: -
ASKER
Thank you for the reply. I have the necessary ports open-it could be a problem with the cable service or modem.
I'm still not comfortable with the random password guessing. Is SBS setup to just continually allow gueses at the logon without timing out or locking out a hacker? I can't even look at the logs and figure out if someone has gained entry because the security log has a gazillion entries, most of which I can't decode. the server is always patched with the exception of not updating to SP1.
I'm still not comfortable with the random password guessing. Is SBS setup to just continually allow gueses at the logon without timing out or locking out a hacker? I can't even look at the logs and figure out if someone has gained entry because the security log has a gazillion entries, most of which I can't decode. the server is always patched with the exception of not updating to SP1.
SBS itself doesn't have a random password guessing lockout for the administrator account (which most of the script kiddies go after) as it would lock you out from the server.
Once solution I created was to add in a front-end Linux server running Apache ReWrite/Proxy modules and IPTables in front of my SBS server environment. I then created a series of firewall rules that dropped any connections from Asia/Pacific Rim (this is where most kiddies come in from) from even being able to ping nor access the site. All web-based requests were passed through the Apache mod_rewrite/mod_proxy environment to the SBS server (i.e. port 80, 443, etc).
There is an application called Untangle (www.untangle.com) that can do something of the same of what I designed and a lot more I didn't even consider, but I haven't had time to test it yet.
Once solution I created was to add in a front-end Linux server running Apache ReWrite/Proxy modules and IPTables in front of my SBS server environment. I then created a series of firewall rules that dropped any connections from Asia/Pacific Rim (this is where most kiddies come in from) from even being able to ping nor access the site. All web-based requests were passed through the Apache mod_rewrite/mod_proxy environment to the SBS server (i.e. port 80, 443, etc).
There is an application called Untangle (www.untangle.com) that can do something of the same of what I designed and a lot more I didn't even consider, but I haven't had time to test it yet.
ASKER
It's been indicated that there are no built in features in SBS, that's a shame. building and installing a front-end server is alot more work than I wanted to do for this small system-maybe for many users or an office situation it would be necessary.
In SBS, I shut down some of the features such as OWA and RWW, but still have received a stray login attempt. How can one determine the origin? Is it in the code of the original snipet?
In SBS, I shut down some of the features such as OWA and RWW, but still have received a stray login attempt. How can one determine the origin? Is it in the code of the original snipet?
Even though this Microsoft article is related to Windows 2000, I found that the registry setting does allow the source IP address to be revealed. I had the same issue on my SBS server and now can track down the culprits!
http://support.microsoft.com/default.aspx/kb/328478/
http://support.microsoft.com/default.aspx/kb/328478/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If your internal network seems to be working fine, then your pretty much secure for the time being. I recommend not using easy passwords on your network (not just for administrator but for any users on the network as well -- i.e. enable the password restrictions, etc). Microsoft's IIS has always been a target of the script kiddies as it has numerous exploits available if not patched. Script kiddies 'exploit' scripts do more harm on the outside of the router, as they attack more along the lines of the Internet address (i.e. external network), thus slowing it down a bit.
As for RWW (Remote Web Workplace) or Remote Access (RDC/RDP) not working, you pretty much need to have a number of ports forwarded from your router to your internal SBS server. I have enclosed a link that reveal these ports and what each do.
http://msmvps.com/blogs/bradley/archive/2005/01/21/33537.aspx