Solved

How to turn off Remote Web Workplace

Posted on 2014-10-15
6
241 Views
Last Modified: 2016-10-27
How to I turn off Remote Web Workplace? I can't find information on this for SBS2008. I believe my system is under attack right now and I need to first turn off remote access.
0
Comment
Question by:jmarkfoley
  • 3
  • 2
6 Comments
 
LVL 15

Accepted Solution

by:
It breaks therefore I am earned 500 total points
ID: 40382216
Also applies to 2008 - http://technet.microsoft.com/en-gb/library/cc527621.aspx

What makes you think you are under attack ?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40382254
Thanks - I was at the link before, but missed the 'Website' tab.

> What makes you think you are under attack ?

Between 8:00 and 10:00 this morning I have 300+ event 4771 message as follows:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:45:06 AM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MAIL.hprs.local
Description:
Kerberos pre-authentication failed.

Account Information:
	Security ID:		HPRS\BETH$
	Account Name:		BETH$

Service Information:
	Service Name:		krbtgt/HPRS.LOCAL

Network Information:
	Client Address:		::ffff:192.168.0.46
	Client Port:		50109

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:45:06.490Z" />
    <EventRecordID>287137781</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="3044" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">BETH$</Data>
    <Data Name="TargetSid">S-1-5-21-960357547-1729513136-1779326955-1224</Data>
    <Data Name="ServiceName">krbtgt/HPRS.LOCAL</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.0.46</Data>
    <Data Name="IpPort">50109</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>

Open in new window


I also have a number of suspicious events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:55:19 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
Special privileges assigned to new logon.

Subject:
	Security ID:		SYSTEM
	Account Name:		MAIL$
	Account Domain:		HPRS
	Logon ID:		0xc87a27ef

Privileges:		SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:55:19.902Z" />
    <EventRecordID>287139132</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="14332" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">MAIL$</Data>
    <Data Name="SubjectDomainName">HPRS</Data>
    <Data Name="SubjectLogonId">0xc87a27ef</Data>
    <Data Name="PrivilegeList">SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege</Data>
  </EventData>
</Event>
[code]

And hundreds of these:
[code]
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 10:13:00 AM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
An account was logged off.

Subject:
	Security ID:		S-1-5-7
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0xc8884c39

Logon Type:			3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T14:13:00.568Z" />
    <EventRecordID>287140976</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="5612" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserSid">S-1-5-7</Data>
    <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0xc8884c39</Data>
    <Data Name="LogonType">3</Data>
  </EventData>
</Event>

Open in new window

0
 
LVL 15

Expert Comment

by:It breaks therefore I am
ID: 40382318
Hi, Always from the same ?

Account Information:
      Security ID:            HPRS\BETH$
      Account Name:            BETH$

Network Information:
      Client Address:            ::ffff:192.168.0.46
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40383972
That's an internal IP isn't it?  I'd identify that machine and scan with 3 or 4 malware tools as it may have a bit.  

Also is port 80 open on your router and IIS is then redirecting to 443?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40384237
Yes, it is an internal IP, and it turns out that the problem was NOT an attempted break-in after all. The legitimate workstation BETH was trying over and over to connect to the domain controller for hours until user Beth finally cycled power.

What was the problem? It turns out to be Microsoft update KB2949927!!!! This recent update is all over the web as causing computers to get corrupted and not boot. I couldn't even restore to a previous restore point. I've spent all day yesterday doing Acronis image restores and re-applying updates one-by-one to find the problem.

I still need to figure out a fix, but as this question had to do with turning off remote web workplace, I'll post this problem as a separte question.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40384242
This post answered my actual question, though that doesn't end up being the actual problem!
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
A clone is a duplicate copy. Sheep have been cloned and maybe someday even people will be cloned, but disk cloning (performed by the hard drive cloning software) is a vital tool used to manage and protect data. Let’s look at what hard drive cloning …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question