Solved

How to turn off Remote Web Workplace

Posted on 2014-10-15
6
236 Views
Last Modified: 2016-10-27
How to I turn off Remote Web Workplace? I can't find information on this for SBS2008. I believe my system is under attack right now and I need to first turn off remote access.
0
Comment
Question by:jmarkfoley
  • 3
  • 2
6 Comments
 
LVL 15

Accepted Solution

by:
It breaks therefore I am earned 500 total points
Comment Utility
Also applies to 2008 - http://technet.microsoft.com/en-gb/library/cc527621.aspx

What makes you think you are under attack ?
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Thanks - I was at the link before, but missed the 'Website' tab.

> What makes you think you are under attack ?

Between 8:00 and 10:00 this morning I have 300+ event 4771 message as follows:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:45:06 AM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MAIL.hprs.local
Description:
Kerberos pre-authentication failed.

Account Information:
	Security ID:		HPRS\BETH$
	Account Name:		BETH$

Service Information:
	Service Name:		krbtgt/HPRS.LOCAL

Network Information:
	Client Address:		::ffff:192.168.0.46
	Client Port:		50109

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:45:06.490Z" />
    <EventRecordID>287137781</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="3044" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">BETH$</Data>
    <Data Name="TargetSid">S-1-5-21-960357547-1729513136-1779326955-1224</Data>
    <Data Name="ServiceName">krbtgt/HPRS.LOCAL</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.0.46</Data>
    <Data Name="IpPort">50109</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>

Open in new window


I also have a number of suspicious events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:55:19 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
Special privileges assigned to new logon.

Subject:
	Security ID:		SYSTEM
	Account Name:		MAIL$
	Account Domain:		HPRS
	Logon ID:		0xc87a27ef

Privileges:		SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:55:19.902Z" />
    <EventRecordID>287139132</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="14332" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">MAIL$</Data>
    <Data Name="SubjectDomainName">HPRS</Data>
    <Data Name="SubjectLogonId">0xc87a27ef</Data>
    <Data Name="PrivilegeList">SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege</Data>
  </EventData>
</Event>
[code]

And hundreds of these:
[code]
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 10:13:00 AM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
An account was logged off.

Subject:
	Security ID:		S-1-5-7
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0xc8884c39

Logon Type:			3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T14:13:00.568Z" />
    <EventRecordID>287140976</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="5612" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserSid">S-1-5-7</Data>
    <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0xc8884c39</Data>
    <Data Name="LogonType">3</Data>
  </EventData>
</Event>

Open in new window

0
 
LVL 15

Expert Comment

by:It breaks therefore I am
Comment Utility
Hi, Always from the same ?

Account Information:
      Security ID:            HPRS\BETH$
      Account Name:            BETH$

Network Information:
      Client Address:            ::ffff:192.168.0.46
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
That's an internal IP isn't it?  I'd identify that machine and scan with 3 or 4 malware tools as it may have a bit.  

Also is port 80 open on your router and IIS is then redirecting to 443?
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Yes, it is an internal IP, and it turns out that the problem was NOT an attempted break-in after all. The legitimate workstation BETH was trying over and over to connect to the domain controller for hours until user Beth finally cycled power.

What was the problem? It turns out to be Microsoft update KB2949927!!!! This recent update is all over the web as causing computers to get corrupted and not boot. I couldn't even restore to a previous restore point. I've spent all day yesterday doing Acronis image restores and re-applying updates one-by-one to find the problem.

I still need to figure out a fix, but as this question had to do with turning off remote web workplace, I'll post this problem as a separte question.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
Comment Utility
This post answered my actual question, though that doesn't end up being the actual problem!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now