Solved

How to prevent unwanted logins on server?

Posted on 2013-10-25
5
583 Views
Last Modified: 2013-11-22
We have a cloud server on Rackspace. The event log revealed thousand of login attempts via winlogon.exe. We restricted Remote Desktop access to our IP. But, now the attack appears to be coming from within our domain. 3 of our 25 domain computers are attempting to login about 5 times per second.

We use Symantec antivirus and the definitions are up to date. We have started full scans of the machines. In the mean time has anyone seen this before? Our in-house server is fine.
0
Comment
Question by:gerrystrat
  • 2
  • 2
5 Comments
 
LVL 61

Accepted Solution

by:
btan earned 333 total points
ID: 39602588
I assumed the logon type you saw is 10, which indicates that the logon attempt was a remote interactive attempt via Terminal Services or Remote Desktop. As best practice, I would not expose Remote Desktop without a smart card or VPN solution.

Quite sometime ago, this is an MS RDP vulnerability
https://technet.microsoft.com/en-us/security/bulletin/ms12-020
https://secunia.com/advisories/48395

You can't stop someone from attempting the attack, but you can reduce their chance of success by keeping the system up to date with patches, by using some type of IDS/IPS, and auditing your logs regularly to stay aware of the frequency and volume of the attempts. E..g consider calling up your hosting provider and have them white list your source IP's for 3389 and drop all other traffic not originating from your sources.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/76577df7-02dc-45fc-87d3-71edf9b51ab1/2003-terminal-server-winlogonexe-csrssexe-attack?forum=winserverTS
0
 
LVL 3

Assisted Solution

by:w_richard
w_richard earned 167 total points
ID: 39605274
There are no easy or really airtight solution for this.

But first of all communication to the backend should at least use SSL encryption to minimize the risk for a man in the middle attack.

have a look at this video link,..

http://www.youtube.com/watch?v=AcQVGRy00

And can be it turned out to be caused by an attempt to get into the server through Remote Desktop/Terminal Services - either a brute-force or massive dictionary attack (every RDP logon attempt causes LogonUI to spawn). Check your System and Security event logs, they'll contain more information (such as the originating IP of any failed remote logon attempts).
0
 
LVL 61

Assisted Solution

by:btan
btan earned 333 total points
ID: 39605430
Go for baseline image for all workstation and baseline netowkr traffic norm especially on the critical services. Capturing the loading metric using snmp and piping syslog to siems can piece big ops picture to drill into anomalies. For those playful workstation likely they are breached unintentionally via usb drive and causing malware doing internal callback and recon. ..it is just an assumption but to start off as clean slate and hardened state will help to isolate and response faster.

Key is continuous monitoring
0
 

Author Closing Comment

by:gerrystrat
ID: 39606477
w_richard, the video no longer exists
0
 
LVL 3

Expert Comment

by:w_richard
ID: 39608025
May be it was removed up as I watched and gave you the link for the same.

Sorry about this.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now