?
Solved

How to turn off Remote Web Workplace

Posted on 2014-10-15
6
Medium Priority
?
254 Views
Last Modified: 2016-10-27
How to I turn off Remote Web Workplace? I can't find information on this for SBS2008. I believe my system is under attack right now and I need to first turn off remote access.
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 15

Accepted Solution

by:
. earned 2000 total points
ID: 40382216
Also applies to 2008 - http://technet.microsoft.com/en-gb/library/cc527621.aspx

What makes you think you are under attack ?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40382254
Thanks - I was at the link before, but missed the 'Website' tab.

> What makes you think you are under attack ?

Between 8:00 and 10:00 this morning I have 300+ event 4771 message as follows:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:45:06 AM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MAIL.hprs.local
Description:
Kerberos pre-authentication failed.

Account Information:
	Security ID:		HPRS\BETH$
	Account Name:		BETH$

Service Information:
	Service Name:		krbtgt/HPRS.LOCAL

Network Information:
	Client Address:		::ffff:192.168.0.46
	Client Port:		50109

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:45:06.490Z" />
    <EventRecordID>287137781</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="3044" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">BETH$</Data>
    <Data Name="TargetSid">S-1-5-21-960357547-1729513136-1779326955-1224</Data>
    <Data Name="ServiceName">krbtgt/HPRS.LOCAL</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.0.46</Data>
    <Data Name="IpPort">50109</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>

Open in new window


I also have a number of suspicious events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:55:19 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
Special privileges assigned to new logon.

Subject:
	Security ID:		SYSTEM
	Account Name:		MAIL$
	Account Domain:		HPRS
	Logon ID:		0xc87a27ef

Privileges:		SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:55:19.902Z" />
    <EventRecordID>287139132</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="14332" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">MAIL$</Data>
    <Data Name="SubjectDomainName">HPRS</Data>
    <Data Name="SubjectLogonId">0xc87a27ef</Data>
    <Data Name="PrivilegeList">SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege</Data>
  </EventData>
</Event>
[code]

And hundreds of these:
[code]
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 10:13:00 AM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
An account was logged off.

Subject:
	Security ID:		S-1-5-7
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0xc8884c39

Logon Type:			3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T14:13:00.568Z" />
    <EventRecordID>287140976</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="5612" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserSid">S-1-5-7</Data>
    <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0xc8884c39</Data>
    <Data Name="LogonType">3</Data>
  </EventData>
</Event>

Open in new window

0
 
LVL 15

Expert Comment

by:.
ID: 40382318
Hi, Always from the same ?

Account Information:
      Security ID:            HPRS\BETH$
      Account Name:            BETH$

Network Information:
      Client Address:            ::ffff:192.168.0.46
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40383972
That's an internal IP isn't it?  I'd identify that machine and scan with 3 or 4 malware tools as it may have a bit.  

Also is port 80 open on your router and IIS is then redirecting to 443?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40384237
Yes, it is an internal IP, and it turns out that the problem was NOT an attempted break-in after all. The legitimate workstation BETH was trying over and over to connect to the domain controller for hours until user Beth finally cycled power.

What was the problem? It turns out to be Microsoft update KB2949927!!!! This recent update is all over the web as causing computers to get corrupted and not boot. I couldn't even restore to a previous restore point. I've spent all day yesterday doing Acronis image restores and re-applying updates one-by-one to find the problem.

I still need to figure out a fix, but as this question had to do with turning off remote web workplace, I'll post this problem as a separte question.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40384242
This post answered my actual question, though that doesn't end up being the actual problem!
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question