We help IT Professionals succeed at work.

Windows Server 2003 Port 3389 Attack

wesmanbigmig13
wesmanbigmig13 used Ask the Experts™
on
Hi Experts

We are running a Windows 2003 server fully patched and running Windows Firewall.

When we check the Windows Event Viewer on the System tab it shows repeated items as follows - these occur approximately every 8 seconds. Occasionally there will be a break for 10 to 15 minutes and then the attacks start again. The message in Windows Event Viewer is as follows:

Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

The Event ID is: 1012
And the Source for each is listed as: TermService

Using a Network monitoring tool, we can see that the packets are coming in on Port 3389 (the standard Remote Desktop / Terminal Services port) So, we have changed RDP to run on Port 3390. We have added an Exception to the Windows Firewall to allow traffic on Port 3390. We have then unticked the Exception in the Windows Firewall for the standard RDP Port 3389. We thought that this would then stop the attacks from being written to the Windows Event Viewer log.

However, doing this has had no effect - the Windows Event Viewer still shows every 6 to 10 seconds the message "Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."

How can we stop these attacks from happening?

500 points for a working solution.


Many thanks


Wes
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
James HIT Director

Commented:
TolomirAdministrator
Top Expert 2005

Commented:
you can run the tool tcpview to identify the ip address of the possible intruder.

http://technet.microsoft.com/de-de/sysinternals/bb897437

This live monitoring tool shows you all running services and ingoing connection (attempts).

After you got the address you can identify who might cause this issue.

Author

Commented:
Thanks, but using our Network monitoring tool, we can already see the IP Address of the attacker. We want to stop all of their attempts from being written to the Windows Event Viewer. We thought that by turning off the exception to Port 3389 in the Windows Firewall that this would happen, but it has had no effect.

Author

Commented:
@Spartan_1337 - thanks but we have read that link already earlier today. It is not a solution.
TolomirAdministrator
Top Expert 2005

Commented:
you could block access to the server in the firewall. this way it would not be possible to even access the service.

Author

Commented:
@Tolomir: Please read our initial post. We have already blocked/removed access to port 3389 in the Windows Firewall.
I recently had an IP from Russia trying to hack RDP over 443, which completely filled up my security logs. I added an inbound rule just on my server and am no longer receiving failed audit attempts.

Rule Type: Custom
Program: All Programs
Protocol Type: Any
Which local IP addresses does this rule apply to? 192.168.1.13
White remote IP addresses does this rule apply to? <hacker/24>
Action: Block
Profile: Domain | Private | Public

Author

Commented:
motnahp00: How / where did you add this rule? And which operating system are you using?


Thanks
I went ahead an created a GPO for my entire environment versus the one server which I have enabled port forwarding. I am running W2K8R2 but you should be able to create similar rules with W2K3.

Author

Commented:
Thanks, but I'm not sure what a GPO is and it sounds a bit complicated considering that I am running Windows Server 2003. Thanks anyway.
One sec...

Let me fire up a W2K3 server and jot some notes for you.
I really forgot how limited LGPOs were in W2K3.

Here's how I would configure the settings on the local server:

Control Panel -> Windows Firewall -> Exceptions tab -> Edit Remote Desktop -> Change Scope -> Custom list (add your exceptions here)

Author

Commented:
No, that doesn't help.
That stinks. Sorry that didn't help.
Leon FesterSenior Solutions Architect

Commented:
Is the "attack" coming from an internal or external IP address?
If External, then you secure that server by making sure it is not directly attached to the WWW.

If this is already the case, then you need to block access to your server on the FW.
That way, not traffic will be passed to your Server.

Your idealy configuration would at would start with:
WWW(Internet) --- FW(Hardware/software firewall) --- Server(running Windows Firewall)

Basically consider that port is now closed by putting a door in the way...so the attacks you are seeing is somebody knocking on the door. Will they get in? NO, the door is closed/port is blocked. Will you hear somebody knocking/attempt to access the port? Yes, you hear noise/see logged events in event viewer.

In order to stop people knocking on the door...you need to stop them from coming in by the gate(FW)
Using my analogy from above:
WWW -- Gate(HW/SW Firewall) -- Door(Windows firewall) -- Port(3389) -- Windows Server OS

What you need to understand is: if the port is blocked then nothing can come through that port. However, blocking the port does not stop somebody from trying to access the port. Which is what is happening here. Somebody is trying to access on Port 3389 but is being denied and then disconnected.

Author

Commented:
dvt_localboy: Do you know if the Windows still logs (to the Event Viewer) attempts by someone to access a port that has been closed?

Thanks
Leon FesterSenior Solutions Architect

Commented:
No, the event log does not log failed attempts to access a port.
What it does log is based on the auditing profile, either configured on the local server or via a group policy.

Check out the Local Security Policy:
Click Start, Adminsitrative Tools, Local Security Policy
Expand Local Policies
Click Audit Policy

The error that you are receiving is being logged because it is seen as a failed logon attempt to a know service.

You can test if your ports are open by using telnet:
telnet ServerName/IPAddress 3389

Any failed connection would indicate the port is blocked.
If it opens a dos prompt with just a flashing cursor the the port is open.

If you have many internet facing servers then consider external penetration testing.
You can start with online scans like Shields UP: https://www.grc.com/x/ne.dll?bh0bkyd2

Some reading re: Pentration testing
http://www.sans.org/reading_room/whitepapers/testing/penetration-101-introduction-penetration-tester_266
http://www.brighthub.com/computing/smb-security/articles/2530.aspx
https://beausanders.org/whitepapers/Do-It-Yourself_Security_Audit.pdf

Consider the Ethical Hacking course for formal training.
Who knows, you may be building a new career for yourself.

Author

Commented:
Thanks dvt_localboy - however, I have used telnet to check port 3389 and it does not show it as being open.

Could this whole thing perhaps be because after changing the RDP port using the appropriate key in the registry (from 3389 to 3390) that we haven't yet rebooted the server? ie do you think a reboot would fix this?

Thanks
Senior Solutions Architect
Commented:
I highly doubt that, but it's worth a try.

You don't need to perform any actions against this warning.

Open that event log entry and verify the status of the message.
I'm sure it's an informaiton only message with a warning status.

If anything, it's telling you that your protection of the RDP port is working.

Author

Commented:
Ok many thanks dvt_localboy. The information you have supplied has been very useful. Thank you. I will accept yours as the solution.<br /><br />Cheers<br /><br />Wes