[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

built in feature to secure remote logon attempts

I've had multiple logon failures on the daily reports almost daily for a couple of weeks and would like to lock down my sbs 2003 server without buying any new software (in a small non-business environment)?   With a new cable modem/router, I can't get remote access to the server from outside the network-probably a router problem.  ISA is not installed and IIS is running as well as Exchange2003.

In trying to understand the attached code-is logon type 3 coming from the website?  I don't really know where to begin in figuring out where the attempt is coming from (i.e. a perp visiting https://server.myservername.com/remote and entering user/pass combo's).  My guess is they're either trying to get in via OWA or the server's remote access (sorry, forgot the abrev.).

where are the attempts (attacks) coming from and how to secure the server?  I do NOT have ISA installed as everytime I've tried in the past it, I was unable to get it to operate properly.
Logon Failure: 
  Reason: Unknown user name or bad password 
  User Name: 5201314 
  Logon Type: 3 
  Logon Process: Advapi 
  Workstation Name: SERVER 
  Caller User Name: SERVER$ 
  Caller Domain: MYSERVERNAME 
  Caller Logon ID: (0x0,0x3E7) 
  Caller Process ID: 1648 
  Transited Services: - 
  Source Network Address: - 
  Source Port: -

Open in new window

  • 3
  • 3
1 Solution
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Most likely, you are getting what I am getting as well -- script kiddies. A lot of these 'kiddies' (aka so-called hackers) do port scanning on several different subnets. When they stumble upon a site that has certain ports open (or even filtered), the use other scripts to see if they can break through and find any exploits they can abuse on the system or network behind that found IP address.

If your internal network seems to be working fine, then your pretty much secure for the time being. I recommend not using easy passwords on your network (not just for administrator but for any users on the network as well -- i.e. enable the password restrictions, etc). Microsoft's IIS has always been a target of the script kiddies as it has numerous exploits available if not patched. Script kiddies 'exploit' scripts do more harm on the outside of the router, as they attack more along the lines of the Internet address (i.e. external network), thus slowing it down a bit.

As for RWW (Remote Web Workplace) or Remote Access (RDC/RDP) not working, you pretty much need to have a number of ports forwarded from your router to your internal SBS server. I have enclosed a link that reveal these ports and what each do.

72chevy4x4Author Commented:
Thank you for the reply.  I have the necessary ports open-it could be a problem with the cable service or modem.  

I'm still not comfortable with the random password guessing.  Is SBS setup to just continually allow gueses at the logon without timing out or locking out a hacker?  I can't even look at the logs and figure out if someone has gained entry because the security log has a gazillion entries, most of which I can't decode.  the server is always patched with the exception of not updating to SP1.
Michael WorshamInfrastructure / Solutions ArchitectCommented:
SBS itself doesn't have a random password guessing lockout for the administrator account (which most of the script kiddies go after) as it would lock you out from the server.

Once solution I created was to add in a front-end Linux server running Apache ReWrite/Proxy modules and IPTables in front of my SBS server environment. I then created a series of firewall rules that dropped any connections from Asia/Pacific Rim (this is where most kiddies come in from) from even being able to ping nor access the site. All web-based requests were passed through the Apache mod_rewrite/mod_proxy environment to the SBS server (i.e. port 80, 443, etc).

There is an application called Untangle (www.untangle.com) that can do something of the same of what I designed and a lot more I didn't even consider, but I haven't had time to test it yet.
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

72chevy4x4Author Commented:
It's been indicated that there are no built in features in SBS, that's a shame.  building and installing a front-end server is alot more work than I wanted to do for this small system-maybe for many users or an office situation it would be necessary.  

In SBS, I shut down some of the features such as OWA and RWW, but still have received a stray login attempt. How can one determine the origin?  Is it in the code of the original snipet?
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Even though this Microsoft article is related to Windows 2000, I found that the registry setting does allow the source IP address to be revealed. I had the same issue on my SBS server and now can track down the culprits!

72chevy4x4Author Commented:
thanks for the info on the registry hack, but I don't feel comfortable changing the reg based on info that applies to Win 2000. Has anyone else done this?  The IP address shows on local events.

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now