Solved

How to turn off Remote Web Workplace

Posted on 2014-10-15
6
242 Views
Last Modified: 2016-10-27
How to I turn off Remote Web Workplace? I can't find information on this for SBS2008. I believe my system is under attack right now and I need to first turn off remote access.
0
Comment
Question by:jmarkfoley
  • 3
  • 2
6 Comments
 
LVL 15

Accepted Solution

by:
It breaks therefore I am earned 500 total points
ID: 40382216
Also applies to 2008 - http://technet.microsoft.com/en-gb/library/cc527621.aspx

What makes you think you are under attack ?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40382254
Thanks - I was at the link before, but missed the 'Website' tab.

> What makes you think you are under attack ?

Between 8:00 and 10:00 this morning I have 300+ event 4771 message as follows:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:45:06 AM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MAIL.hprs.local
Description:
Kerberos pre-authentication failed.

Account Information:
	Security ID:		HPRS\BETH$
	Account Name:		BETH$

Service Information:
	Service Name:		krbtgt/HPRS.LOCAL

Network Information:
	Client Address:		::ffff:192.168.0.46
	Client Port:		50109

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:45:06.490Z" />
    <EventRecordID>287137781</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="3044" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">BETH$</Data>
    <Data Name="TargetSid">S-1-5-21-960357547-1729513136-1779326955-1224</Data>
    <Data Name="ServiceName">krbtgt/HPRS.LOCAL</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">::ffff:192.168.0.46</Data>
    <Data Name="IpPort">50109</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>

Open in new window


I also have a number of suspicious events:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 9:55:19 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
Special privileges assigned to new logon.

Subject:
	Security ID:		SYSTEM
	Account Name:		MAIL$
	Account Domain:		HPRS
	Logon ID:		0xc87a27ef

Privileges:		SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T13:55:19.902Z" />
    <EventRecordID>287139132</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="14332" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">MAIL$</Data>
    <Data Name="SubjectDomainName">HPRS</Data>
    <Data Name="SubjectLogonId">0xc87a27ef</Data>
    <Data Name="PrivilegeList">SeSecurityPrivilege
			SeBackupPrivilege
			SeRestorePrivilege
			SeTakeOwnershipPrivilege
			SeDebugPrivilege
			SeSystemEnvironmentPrivilege
			SeLoadDriverPrivilege
			SeImpersonatePrivilege
			SeEnableDelegationPrivilege</Data>
  </EventData>
</Event>
[code]

And hundreds of these:
[code]
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/15/2014 10:13:00 AM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MAIL.hprs.local
Description:
An account was logged off.

Subject:
	Security ID:		S-1-5-7
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0xc8884c39

Logon Type:			3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-15T14:13:00.568Z" />
    <EventRecordID>287140976</EventRecordID>
    <Correlation />
    <Execution ProcessID="708" ThreadID="5612" />
    <Channel>Security</Channel>
    <Computer>MAIL.hprs.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserSid">S-1-5-7</Data>
    <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0xc8884c39</Data>
    <Data Name="LogonType">3</Data>
  </EventData>
</Event>

Open in new window

0
 
LVL 15

Expert Comment

by:It breaks therefore I am
ID: 40382318
Hi, Always from the same ?

Account Information:
      Security ID:            HPRS\BETH$
      Account Name:            BETH$

Network Information:
      Client Address:            ::ffff:192.168.0.46
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40383972
That's an internal IP isn't it?  I'd identify that machine and scan with 3 or 4 malware tools as it may have a bit.  

Also is port 80 open on your router and IIS is then redirecting to 443?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40384237
Yes, it is an internal IP, and it turns out that the problem was NOT an attempted break-in after all. The legitimate workstation BETH was trying over and over to connect to the domain controller for hours until user Beth finally cycled power.

What was the problem? It turns out to be Microsoft update KB2949927!!!! This recent update is all over the web as causing computers to get corrupted and not boot. I couldn't even restore to a previous restore point. I've spent all day yesterday doing Acronis image restores and re-applying updates one-by-one to find the problem.

I still need to figure out a fix, but as this question had to do with turning off remote web workplace, I'll post this problem as a separte question.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40384242
This post answered my actual question, though that doesn't end up being the actual problem!
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2011 Backup Drive 8 77
WSUS 3.0 SP2 Replicate to WSUS 2016 3 49
Changing a SBS 2011 Server to TLS 6 33
SBS 2011 Server CPU Utilization 33 37
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question