I manage a number of SBS 2003 Servers that are constantly being attacked by hackers who are either trying to brute force the OWA or RWW login screens or possibly do a denial of service.
I was looking at my reports this morning and I can see that there were 9007 attempts to gain access to our server illegally, when I check the Security log I can see that there were repeated attempts about one every 7 seconds which generated event log entries like this:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Reason: Unknown user name or bad password
User Name: guest
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: SERVERNAME
Caller User Name: SERVERNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 8980
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Process 8980 is IIS so I am assuming they are seeing the https port open and are hitting the OWA or RWW login screens over and over again.
The logs show that they are using the same user name about 200 times, so I suspect the program is using a dictionary of passwords that is 200 items long and then using it with another dictionary of user names. From the logs the attack seems to have started at about 1PM UK Time yesterday and continued until about 08:30AM this morning.
Is there anything I can do to stop this that allows my remote users to gain access to the server using OWA or RWW without exposing it to attacks like this. My thought would be to set all remote users up with a VPN so they can access the OWA and RWW using internal IP Addresses/Names.
I would be grateful of any advice.