Solved

How to turn off Remote Web Workplace

Posted on 2014-10-15
6
249 Views
Last Modified: 2016-10-27
How to I turn off Remote Web Workplace? I can't find information on this for SBS2008. I believe my system is under attack right now and I need to first turn off remote access.
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 15

Accepted Solution

by:
. earned 500 total points
ID: 40382216
Also applies to 2008 - http://technet.microsoft.com/en-gb/library/cc527621.aspx

What makes you think you are under attack ?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40382254
Thanks - I was at the link before, but missed the 'Website' tab.

> What makes you think you are under attack ?

Between 8:00 and 10:00 this morning I have 300+ event 4771 message as follows:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:45:06 AM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MAIL.hprs.local
Description:
Kerberos pre-authentication failed.

Account Information:
	Security ID:		HPRS\BETH$
	Account Name:		BETH$

Service Information:
	Service Name:		krbtgt/HPRS.LOCAL

Network Information:
	Client Address:		::ffff:192.168.0.46
	Client Port:		50109

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:45:06.490Z" />
    <EventRecordID>287137781</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="3044" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">BETH$</Data>
    <Data Name="TargetSid">S-1-5-21-960357547-1729513136-1779326955-1224</Data>
    <Data Name="ServiceName">krbtgt/HPRS.LOCAL</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.0.46</Data>
    <Data Name="IpPort">50109</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>

Open in new window


I also have a number of suspicious events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:55:19 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
Special privileges assigned to new logon.

Subject:
	Security ID:		SYSTEM
	Account Name:		MAIL$
	Account Domain:		HPRS
	Logon ID:		0xc87a27ef

Privileges:		SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:55:19.902Z" />
    <EventRecordID>287139132</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="14332" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">MAIL$</Data>
    <Data Name="SubjectDomainName">HPRS</Data>
    <Data Name="SubjectLogonId">0xc87a27ef</Data>
    <Data Name="PrivilegeList">SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege</Data>
  </EventData>
</Event>
[code]

And hundreds of these:
[code]
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 10:13:00 AM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
An account was logged off.

Subject:
	Security ID:		S-1-5-7
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0xc8884c39

Logon Type:			3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T14:13:00.568Z" />
    <EventRecordID>287140976</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="5612" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserSid">S-1-5-7</Data>
    <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0xc8884c39</Data>
    <Data Name="LogonType">3</Data>
  </EventData>
</Event>

Open in new window

0
 
LVL 15

Expert Comment

by:.
ID: 40382318
Hi, Always from the same ?

Account Information:
      Security ID:            HPRS\BETH$
      Account Name:            BETH$

Network Information:
      Client Address:            ::ffff:192.168.0.46
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40383972
That's an internal IP isn't it?  I'd identify that machine and scan with 3 or 4 malware tools as it may have a bit.  

Also is port 80 open on your router and IIS is then redirecting to 443?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40384237
Yes, it is an internal IP, and it turns out that the problem was NOT an attempted break-in after all. The legitimate workstation BETH was trying over and over to connect to the domain controller for hours until user Beth finally cycled power.

What was the problem? It turns out to be Microsoft update KB2949927!!!! This recent update is all over the web as causing computers to get corrupted and not boot. I couldn't even restore to a previous restore point. I've spent all day yesterday doing Acronis image restores and re-applying updates one-by-one to find the problem.

I still need to figure out a fix, but as this question had to do with turning off remote web workplace, I'll post this problem as a separte question.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40384242
This post answered my actual question, though that doesn't end up being the actual problem!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question