Windows Server 2003 Port 3389 Attack
Hi Experts
We are running a Windows 2003 server fully patched and running Windows Firewall.
When we check the Windows Event Viewer on the System tab it shows repeated items as follows - these occur approximately every 8 seconds. Occasionally there will be a break for 10 to 15 minutes and then the attacks start again. The message in Windows Event Viewer is as follows:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
The Event ID is: 1012
And the Source for each is listed as: TermService
Using a Network monitoring tool, we can see that the packets are coming in on Port 3389 (the standard Remote Desktop / Terminal Services port) So, we have changed RDP to run on Port 3390. We have added an Exception to the Windows Firewall to allow traffic on Port 3390. We have then unticked the Exception in the Windows Firewall for the standard RDP Port 3389. We thought that this would then stop the attacks from being written to the Windows Event Viewer log.
However, doing this has had no effect - the Windows Event Viewer still shows every 6 to 10 seconds the message "Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."
How can we stop these attacks from happening?
500 points for a working solution.
Many thanks
Wes
We are running a Windows 2003 server fully patched and running Windows Firewall.
When we check the Windows Event Viewer on the System tab it shows repeated items as follows - these occur approximately every 8 seconds. Occasionally there will be a break for 10 to 15 minutes and then the attacks start again. The message in Windows Event Viewer is as follows:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
The Event ID is: 1012
And the Source for each is listed as: TermService
Using a Network monitoring tool, we can see that the packets are coming in on Port 3389 (the standard Remote Desktop / Terminal Services port) So, we have changed RDP to run on Port 3390. We have added an Exception to the Windows Firewall to allow traffic on Port 3390. We have then unticked the Exception in the Windows Firewall for the standard RDP Port 3389. We thought that this would then stop the attacks from being written to the Windows Event Viewer log.
However, doing this has had no effect - the Windows Event Viewer still shows every 6 to 10 seconds the message "Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."
How can we stop these attacks from happening?
500 points for a working solution.
Many thanks
Wes
you can run the tool tcpview to identify the ip address of the possible intruder.
http://technet.microsoft.com/de-de/sysinternals/bb897437
This live monitoring tool shows you all running services and ingoing connection (attempts).
After you got the address you can identify who might cause this issue.
http://technet.microsoft.com/de-de/sysinternals/bb897437
This live monitoring tool shows you all running services and ingoing connection (attempts).
After you got the address you can identify who might cause this issue.
ASKER
Thanks, but using our Network monitoring tool, we can already see the IP Address of the attacker. We want to stop all of their attempts from being written to the Windows Event Viewer. We thought that by turning off the exception to Port 3389 in the Windows Firewall that this would happen, but it has had no effect.
ASKER
@Spartan_1337 - thanks but we have read that link already earlier today. It is not a solution.
you could block access to the server in the firewall. this way it would not be possible to even access the service.
ASKER
@Tolomir: Please read our initial post. We have already blocked/removed access to port 3389 in the Windows Firewall.
I recently had an IP from Russia trying to hack RDP over 443, which completely filled up my security logs. I added an inbound rule just on my server and am no longer receiving failed audit attempts.
Rule Type: Custom
Program: All Programs
Protocol Type: Any
Which local IP addresses does this rule apply to? 192.168.1.13
White remote IP addresses does this rule apply to? <hacker/24>
Action: Block
Profile: Domain | Private | Public
Rule Type: Custom
Program: All Programs
Protocol Type: Any
Which local IP addresses does this rule apply to? 192.168.1.13
White remote IP addresses does this rule apply to? <hacker/24>
Action: Block
Profile: Domain | Private | Public
ASKER
motnahp00: How / where did you add this rule? And which operating system are you using?
Thanks
Thanks
I went ahead an created a GPO for my entire environment versus the one server which I have enabled port forwarding. I am running W2K8R2 but you should be able to create similar rules with W2K3.
ASKER
Thanks, but I'm not sure what a GPO is and it sounds a bit complicated considering that I am running Windows Server 2003. Thanks anyway.
One sec...
Let me fire up a W2K3 server and jot some notes for you.
Let me fire up a W2K3 server and jot some notes for you.
I really forgot how limited LGPOs were in W2K3.
Here's how I would configure the settings on the local server:
Control Panel -> Windows Firewall -> Exceptions tab -> Edit Remote Desktop -> Change Scope -> Custom list (add your exceptions here)
Here's how I would configure the settings on the local server:
Control Panel -> Windows Firewall -> Exceptions tab -> Edit Remote Desktop -> Change Scope -> Custom list (add your exceptions here)
ASKER
No, that doesn't help.
That stinks. Sorry that didn't help.
Is the "attack" coming from an internal or external IP address?
If External, then you secure that server by making sure it is not directly attached to the WWW.
If this is already the case, then you need to block access to your server on the FW.
That way, not traffic will be passed to your Server.
Your idealy configuration would at would start with:
WWW(Internet) --- FW(Hardware/software firewall) --- Server(running Windows Firewall)
Basically consider that port is now closed by putting a door in the way...so the attacks you are seeing is somebody knocking on the door. Will they get in? NO, the door is closed/port is blocked. Will you hear somebody knocking/attempt to access the port? Yes, you hear noise/see logged events in event viewer.
In order to stop people knocking on the door...you need to stop them from coming in by the gate(FW)
Using my analogy from above:
WWW -- Gate(HW/SW Firewall) -- Door(Windows firewall) -- Port(3389) -- Windows Server OS
What you need to understand is: if the port is blocked then nothing can come through that port. However, blocking the port does not stop somebody from trying to access the port. Which is what is happening here. Somebody is trying to access on Port 3389 but is being denied and then disconnected.
If External, then you secure that server by making sure it is not directly attached to the WWW.
If this is already the case, then you need to block access to your server on the FW.
That way, not traffic will be passed to your Server.
Your idealy configuration would at would start with:
WWW(Internet) --- FW(Hardware/software firewall) --- Server(running Windows Firewall)
Basically consider that port is now closed by putting a door in the way...so the attacks you are seeing is somebody knocking on the door. Will they get in? NO, the door is closed/port is blocked. Will you hear somebody knocking/attempt to access the port? Yes, you hear noise/see logged events in event viewer.
In order to stop people knocking on the door...you need to stop them from coming in by the gate(FW)
Using my analogy from above:
WWW -- Gate(HW/SW Firewall) -- Door(Windows firewall) -- Port(3389) -- Windows Server OS
What you need to understand is: if the port is blocked then nothing can come through that port. However, blocking the port does not stop somebody from trying to access the port. Which is what is happening here. Somebody is trying to access on Port 3389 but is being denied and then disconnected.
ASKER
dvt_localboy: Do you know if the Windows still logs (to the Event Viewer) attempts by someone to access a port that has been closed?
Thanks
Thanks
No, the event log does not log failed attempts to access a port.
What it does log is based on the auditing profile, either configured on the local server or via a group policy.
Check out the Local Security Policy:
Click Start, Adminsitrative Tools, Local Security Policy
Expand Local Policies
Click Audit Policy
The error that you are receiving is being logged because it is seen as a failed logon attempt to a know service.
You can test if your ports are open by using telnet:
telnet ServerName/IPAddress 3389
Any failed connection would indicate the port is blocked.
If it opens a dos prompt with just a flashing cursor the the port is open.
If you have many internet facing servers then consider external penetration testing.
You can start with online scans like Shields UP: https://www.grc.com/x/ne.dll?bh0bkyd2
Some reading re: Pentration testing
http://www.sans.org/reading_room/whitepapers/testing/penetration-101-introduction-penetration-tester_266
http://www.brighthub.com/computing/smb-security/articles/2530.aspx
https://beausanders.org/whitepapers/Do-It-Yourself_Security_Audit.pdf
Consider the Ethical Hacking course for formal training.
Who knows, you may be building a new career for yourself.
What it does log is based on the auditing profile, either configured on the local server or via a group policy.
Check out the Local Security Policy:
Click Start, Adminsitrative Tools, Local Security Policy
Expand Local Policies
Click Audit Policy
The error that you are receiving is being logged because it is seen as a failed logon attempt to a know service.
You can test if your ports are open by using telnet:
telnet ServerName/IPAddress 3389
Any failed connection would indicate the port is blocked.
If it opens a dos prompt with just a flashing cursor the the port is open.
If you have many internet facing servers then consider external penetration testing.
You can start with online scans like Shields UP: https://www.grc.com/x/ne.dll?bh0bkyd2
Some reading re: Pentration testing
http://www.sans.org/reading_room/whitepapers/testing/penetration-101-introduction-penetration-tester_266
http://www.brighthub.com/computing/smb-security/articles/2530.aspx
https://beausanders.org/whitepapers/Do-It-Yourself_Security_Audit.pdf
Consider the Ethical Hacking course for formal training.
Who knows, you may be building a new career for yourself.
ASKER
Thanks dvt_localboy - however, I have used telnet to check port 3389 and it does not show it as being open.
Could this whole thing perhaps be because after changing the RDP port using the appropriate key in the registry (from 3389 to 3390) that we haven't yet rebooted the server? ie do you think a reboot would fix this?
Thanks
Could this whole thing perhaps be because after changing the RDP port using the appropriate key in the registry (from 3389 to 3390) that we haven't yet rebooted the server? ie do you think a reboot would fix this?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok many thanks dvt_localboy. The information you have supplied has been very useful. Thank you. I will accept yours as the solution.<br /><br />Cheers<br /><br />Wes
http://technet.microsoft.com/en-us/library/cc775156%28WS.10%29.aspx