troubleshooting Question

SBS 2003, How to stop hackers trying to log in programmatically via OWA or RWW

Avatar of Siv
SivFlag for United Kingdom of Great Britain and Northern Ireland asked on
Microsoft IIS Web ServerWindows Server 2003SBS
9 Comments1 Solution1916 ViewsLast Modified:
Hi,
I manage a number of SBS 2003 Servers that are constantly being attacked by hackers who are either trying to brute force the OWA or RWW login screens or possibly do a denial of service.

I was looking at my reports this morning and I can see that there were 9007 attempts to gain access to our server illegally, when I check the Security log I can see that there were repeated attempts about one every 7 seconds which generated event log entries like this:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            07/02/2012
Time:            12:57:33
User:            NT AUTHORITY\SYSTEM
Computer:      SERVERNAME
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      guest
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVERNAME
       Caller User Name:      SERVERNAME$
       Caller Domain:      DOMAINNAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      8980
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Process 8980 is IIS so I am assuming they are seeing the https port open and are hitting the OWA or RWW login screens over and over again.

The logs show that they are using the same user name about 200 times, so I suspect the program is using a dictionary of passwords that is 200 items long and then using it with another dictionary of user names.  From the logs the attack seems to have started at about 1PM UK Time yesterday and continued until about 08:30AM this morning.

Is there anything I can do to stop this that allows my remote users to gain access to the server using OWA or RWW without exposing it to attacks like this. My thought would be to set all remote users up with a VPN so they can access the OWA and RWW using internal IP Addresses/Names.

I would be grateful of any advice.

Siv
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 9 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros