Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 793
  • Last Modified:

Advice on hack attempts on Windows Server 2008 R2

Somebody in Germany (determined by the IP address) has been trying to hack into my Windows 2008R2 server over the last few days continuously using what appears to be a dictionary attack - see below for example security event.
The local administrator account is disabled and I am not convinced they will be successful with the usernames they are trying to use.
What perplexes me is that this machine is behind a Sonicwall firewall and is a virtual machine, I can see no way they can be accessing it.
I have anti-virus running and ran Malwarebytes and it is completely clean.
The IP address is always different but an online IP locator points to the same village in Germany so this could be a bot attack or something similar.
Is there a sure fire way of stopping this, or is it an occupational hazard?
  • 7
  • 3
  • 2
  • +3
5 Solutions
fuzzyfreakAuthor Commented:
Sorry, forgot this -

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          14/01/2015 11:32:50
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      removed for security
An account failed to log on.

      Security ID:            SYSTEM
      Account Name:            removed for security$
      Account Domain:            removed for security
      Logon ID:            0x3e7

Logon Type:                  10

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            experience
      Account Domain:            removed for security

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0xf34
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      removed for security
      Source Network Address:
      Source Port:            57626

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2015-01-14T11:32:50.994847800Z" />
    <Correlation />
    <Execution ProcessID="528" ThreadID="1456" />
    <Computer>removed for security</Computer>
    <Security />
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">removed for security$</Data>
    <Data Name="SubjectDomainName">removed for security</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">experience</Data>
    <Data Name="TargetDomainName">removed for security</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">10</Data>
    <Data Name="LogonProcessName">User32 </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">removed for security</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xf34</Data>
    <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
    <Data Name="IpAddress"></Data>
    <Data Name="IpPort">57626</Data>

Should that server be usable for logons via internet (RDP/VPN) at all? If not, then your firewall is misconfigured.
Don ThomsonCommented:
If you do use RDP to access your Servers - Change the port in your firewall to something besides 3389. The firewall should allow you to remap the port back to 3389  automatically while still allowing your users to access the server through RDP.   So if you changed the port that users will use to something like 2378  they would then access RDP by entering 1xx.2xx.3xx.4xx:2378   or
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Partially occupational hazard (like web access, it's a bit weird to change the port number to that), partially your own fault (RDP has no hammer protection), so as described above, use another port number (on the modem/router/firewall), but I prefer a MUCH higher number (in case of finding it through port scanning).
In a Windows 2003 environment I wrote a VBScript though to check the eventlog and block (or rather, route back to non working IP) the IP upon failing to log in a few times per xx minutes). Not sure I can adjust it to 2008, but with changing the port numbers, you shouldn't see this even at all (except by valid users, who made a typos during login).
Sean JacksonInformation Security AnalystCommented:
Block access from this IP at the firewall. Clearly the actions are unwanted.

I would create rules that auto-add IPs to blacklists when such behavior is noticed.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Unless you're expecting users from Germany, block the ISP/country at the firewall level.  If you can't, then get a better firewall.
fuzzyfreakAuthor Commented:
Thanks for your responses guys, let me take each one in turn -
Yes, this server is used for RDP but only internally - I am not sure how it is being accessed externally unless I have opened the same port on the firewall.
I will have to try and figure out how to change the RDP port on the server.
Blocking the IP is not an option as each time it changes.
Blocking Germany to my firewall is not an option as we travel Internationally.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Use VPN.
Sean JacksonInformation Security AnalystCommented:
Create a script that auto-adds the IP to the firewall. Don't block all of Germany, save that behavior for China.
fuzzyfreakAuthor Commented:

I presume this article will work to change my port but how can you tell from my security event that port 3389 was being used?
Does the client need to know about this new port to be able to access the server via RDP?
fuzzyfreakAuthor Commented:
Please explain why I need to make changes to the firewall when this is an internal issue i.e. inside my firewall?
Not sure how VPN would help?
There is some forwarding configured at your firewall or it is altogether opening that server to the internet - in any way, it's misconfigured and needs to be reviewed. Your log shows it's logon type 10: Remote Interactive logon, which means remote desktop is tried to be abused.
fuzzyfreakAuthor Commented:
Thanks very much for that clarification.  Yes, I have discovered port 3389 is open on the firewall, but this does not necessarily mean it is misconfigured but I do need to discover why that port has been opened and reconfigure.  I'll get back once I have found out where this has been opened in the minefield that is my Sonicwall device.
Don ThomsonCommented:
You don't have to change the port in the server. This means that your internal RDP users won't need to change the method they currently use.

In the firewall - change the external port to something other than 3389 but keep the internal port at 3389.

Any decent firewall or router will allow you to do this.  This is often done where someone has multiple IP printer locally that they need to access when connected via RDP to an external system. Most printer use 515 or 9100 - if you assign each printer to a different external port then anyone printing to the different port will get to the right printer as the firewall is programmed to change the "Different"port number back to the default for that printer but sends it to the correct IP for that Printer

If you're not sure why the port was opened - change the External port to 53389 _> ServerIP:3389

As soon as you do that - no one trying to access the server using port 3389 on the far side of your router/Firewall will get any access.  They will soon stop trying and go on to the next system.  If a legitimate user tries to get in - you can tell them to add :53389 to the Destination IP .
Lee W, MVPTechnology and Business Process AdvisorCommented:
A VPN requires only one port open on the firewall and requires authentication with the server.  Opening ports open doors to hackers.  Changing the port to a non-standard one and forwarding does little to help.  Many of the attack tools used would simply scan all ports and then attempt to connect via RDS or other protocols.

If you need to provide remote access, then you need to ensure your company is using all the best practices it can to secure the network.  A VPN would be safer than simply port forwarding your RDP protocol.  I don't know what your company does, but if you don't have people CURRENTLY in Germany, block them for the moment - you can always unblock later.

You should also consider getting the appropriate licenses to use Direct Access and other more advanced mechanisms to secure the network.
fuzzyfreakAuthor Commented:
Great advice thanks but now I have discovered for which internal servers Terminal Services (and therefore port 3389) is open for. We use VPN for remote access so I am not sure if I need this port open on any of these servers...however I did just get one of our external consultants asking why their RDP access to one of our servers has just stopped working (oops). I may need to give them VPN access so I can close off this port.
fuzzyfreakAuthor Commented:
Port plugged, issue gone, thank you all very much for your help and education on this matter!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now