built in feature to secure remote logon attempts

I've had multiple logon failures on the daily reports almost daily for a couple of weeks and would like to lock down my sbs 2003 server without buying any new software (in a small non-business environment)?   With a new cable modem/router, I can't get remote access to the server from outside the network-probably a router problem.  ISA is not installed and IIS is running as well as Exchange2003.

In trying to understand the attached code-is logon type 3 coming from the website?  I don't really know where to begin in figuring out where the attempt is coming from (i.e. a perp visiting https://server.myservername.com/remote and entering user/pass combo's).  My guess is they're either trying to get in via OWA or the server's remote access (sorry, forgot the abrev.).

where are the attempts (attacks) coming from and how to secure the server?  I do NOT have ISA installed as everytime I've tried in the past it, I was unable to get it to operate properly.
Logon Failure: 
  Reason: Unknown user name or bad password 
  User Name: 5201314 
  Logon Type: 3 
  Logon Process: Advapi 
  Workstation Name: SERVER 
  Caller User Name: SERVER$ 
  Caller Domain: MYSERVERNAME 
  Caller Logon ID: (0x0,0x3E7) 
  Caller Process ID: 1648 
  Transited Services: - 
  Source Network Address: - 
  Source Port: -

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael WorshamStaff Infrastructure ArchitectCommented:
Most likely, you are getting what I am getting as well -- script kiddies. A lot of these 'kiddies' (aka so-called hackers) do port scanning on several different subnets. When they stumble upon a site that has certain ports open (or even filtered), the use other scripts to see if they can break through and find any exploits they can abuse on the system or network behind that found IP address.

If your internal network seems to be working fine, then your pretty much secure for the time being. I recommend not using easy passwords on your network (not just for administrator but for any users on the network as well -- i.e. enable the password restrictions, etc). Microsoft's IIS has always been a target of the script kiddies as it has numerous exploits available if not patched. Script kiddies 'exploit' scripts do more harm on the outside of the router, as they attack more along the lines of the Internet address (i.e. external network), thus slowing it down a bit.

As for RWW (Remote Web Workplace) or Remote Access (RDC/RDP) not working, you pretty much need to have a number of ports forwarded from your router to your internal SBS server. I have enclosed a link that reveal these ports and what each do.

72chevy4x4Author Commented:
Thank you for the reply.  I have the necessary ports open-it could be a problem with the cable service or modem.  

I'm still not comfortable with the random password guessing.  Is SBS setup to just continually allow gueses at the logon without timing out or locking out a hacker?  I can't even look at the logs and figure out if someone has gained entry because the security log has a gazillion entries, most of which I can't decode.  the server is always patched with the exception of not updating to SP1.
Michael WorshamStaff Infrastructure ArchitectCommented:
SBS itself doesn't have a random password guessing lockout for the administrator account (which most of the script kiddies go after) as it would lock you out from the server.

Once solution I created was to add in a front-end Linux server running Apache ReWrite/Proxy modules and IPTables in front of my SBS server environment. I then created a series of firewall rules that dropped any connections from Asia/Pacific Rim (this is where most kiddies come in from) from even being able to ping nor access the site. All web-based requests were passed through the Apache mod_rewrite/mod_proxy environment to the SBS server (i.e. port 80, 443, etc).

There is an application called Untangle (www.untangle.com) that can do something of the same of what I designed and a lot more I didn't even consider, but I haven't had time to test it yet.
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

72chevy4x4Author Commented:
It's been indicated that there are no built in features in SBS, that's a shame.  building and installing a front-end server is alot more work than I wanted to do for this small system-maybe for many users or an office situation it would be necessary.  

In SBS, I shut down some of the features such as OWA and RWW, but still have received a stray login attempt. How can one determine the origin?  Is it in the code of the original snipet?
Michael WorshamStaff Infrastructure ArchitectCommented:
Even though this Microsoft article is related to Windows 2000, I found that the registry setting does allow the source IP address to be revealed. I had the same issue on my SBS server and now can track down the culprits!

72chevy4x4Author Commented:
thanks for the info on the registry hack, but I don't feel comfortable changing the reg based on info that applies to Win 2000. Has anyone else done this?  The IP address shows on local events.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.