Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Microsof SBS 2003 Security Events

Posted on 2013-12-12
7
Medium Priority
?
231 Views
Last Modified: 2014-04-15
We use GFI Server monitoring, and we are experiencing 5 security events that repeatedly alert us from the Security Event Log. The total amount of alerts can reach into their thousands within the week. The alert descriptions indicate that the security event is triggered from internal users, computers and IP addresses.

There are 2 sites linked via a VPN. The primary site uses 10.0.0.0, whilst the remote site uses 192.168.1.0.

The alerts in question relate to the following Event ID's:
529
673
673
675
680

For further clarity, please see attached document providing event logs as extracted from the SBS Server, with accompanying notes at the bottom of each event.

I would like to identify the cause and resolution of each event.

Thank you in advance.
Event-ID-s.docx
0
Comment
Question by:swan_solutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39713793
What ports do you have open and forwarded to the server because a lot of them may be external hackers trying to break into your server using port 3389 for example.

Another problem with SBS is hackers trying port 25 to work out a username / password combo that works and my article can help sort that problem out for you:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

Alan
0
 

Author Comment

by:swan_solutions
ID: 39713913
The following ports are open:

Destination - SBS Server
3389
(access from specific destinations only - not open to general public)
1723
443
143


Destination - Analysis Computer using IP 10.0.0.76
12340 to 12360
(now closed as there is no further requirement for these ports to be open)

On the point of SMTP we have redirected port 77 (public) to port 25 (private). SMTP is routed via an external party and has been restricted to specific IP ranges
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39713933
No problems - if you don't use port 25 directly, then that will not be a problem.

Do you use IMAP?  Any reason to have that working as you shouldn't need it normally.

It seems to be that HPC009 is generating / appearing in a lot of the errors you are seeing.  Is there anything on that PC that shouldn't be there?

Have you run an AV / Malware scan on it?

Is the user having problems authenticating?

Others may be OWA problems as they are coming from the server itself (127.0.0.1).

What is your server internal IP address?

Alan
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:swan_solutions
ID: 39717031
I have disabled the IMAP port as this is not longer in use.

I will investigate HPC009 and any user/AV/Malware related issus and report back on this.

When you say OWA problems, does anything specific spring to mind?

The server IP is 10.0.0.2

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39725494
When I refer to OWA - it may be people failing to login to OWA which could be a genuine user or a hacker / script kiddie trying to break in that way.

Alan
0
 

Accepted Solution

by:
swan_solutions earned 0 total points
ID: 39991953
No resolution found on this issue
0
 

Author Closing Comment

by:swan_solutions
ID: 40001098
Other suggestions did not resolve this issue
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question