Solved

How to prevent unwanted logins on server?

Posted on 2013-10-25
5
591 Views
Last Modified: 2013-11-22
We have a cloud server on Rackspace. The event log revealed thousand of login attempts via winlogon.exe. We restricted Remote Desktop access to our IP. But, now the attack appears to be coming from within our domain. 3 of our 25 domain computers are attempting to login about 5 times per second.

We use Symantec antivirus and the definitions are up to date. We have started full scans of the machines. In the mean time has anyone seen this before? Our in-house server is fine.
0
Comment
Question by:gerrystrat
  • 2
  • 2
5 Comments
 
LVL 62

Accepted Solution

by:
btan earned 333 total points
ID: 39602588
I assumed the logon type you saw is 10, which indicates that the logon attempt was a remote interactive attempt via Terminal Services or Remote Desktop. As best practice, I would not expose Remote Desktop without a smart card or VPN solution.

Quite sometime ago, this is an MS RDP vulnerability
https://technet.microsoft.com/en-us/security/bulletin/ms12-020
https://secunia.com/advisories/48395

You can't stop someone from attempting the attack, but you can reduce their chance of success by keeping the system up to date with patches, by using some type of IDS/IPS, and auditing your logs regularly to stay aware of the frequency and volume of the attempts. E..g consider calling up your hosting provider and have them white list your source IP's for 3389 and drop all other traffic not originating from your sources.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/76577df7-02dc-45fc-87d3-71edf9b51ab1/2003-terminal-server-winlogonexe-csrssexe-attack?forum=winserverTS
0
 
LVL 3

Assisted Solution

by:w_richard
w_richard earned 167 total points
ID: 39605274
There are no easy or really airtight solution for this.

But first of all communication to the backend should at least use SSL encryption to minimize the risk for a man in the middle attack.

have a look at this video link,..

http://www.youtube.com/watch?v=AcQVGRy00

And can be it turned out to be caused by an attempt to get into the server through Remote Desktop/Terminal Services - either a brute-force or massive dictionary attack (every RDP logon attempt causes LogonUI to spawn). Check your System and Security event logs, they'll contain more information (such as the originating IP of any failed remote logon attempts).
0
 
LVL 62

Assisted Solution

by:btan
btan earned 333 total points
ID: 39605430
Go for baseline image for all workstation and baseline netowkr traffic norm especially on the critical services. Capturing the loading metric using snmp and piping syslog to siems can piece big ops picture to drill into anomalies. For those playful workstation likely they are breached unintentionally via usb drive and causing malware doing internal callback and recon. ..it is just an assumption but to start off as clean slate and hardened state will help to isolate and response faster.

Key is continuous monitoring
0
 

Author Closing Comment

by:gerrystrat
ID: 39606477
w_richard, the video no longer exists
0
 
LVL 3

Expert Comment

by:w_richard
ID: 39608025
May be it was removed up as I watched and gave you the link for the same.

Sorry about this.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now