Exchange OWA - failed logins and brute force monitor

I had a Problem a few years ago with hackers trying to break into a terminal server in a Brute Force manner. I resolved the problem taking these steps that may help you:

1. Make sure all users have strong passwords and possibly change the passwords so you know they are strong using upper case, lower case, a number and a special character in each.

2. Install Syspeace on the windows 2008 server from www.syspeace.com.

After three invalid login attempts, it locks out the account in Active Directory so the hackers can't login. After a pre-determined amount of time, it removes the lock.

It also has it's own global blacklist of hacker's IP addresses that are blocked right away. Syspeace updates that list based on hacking activity it sees from other servers that have Syspeace installed on it.  The program works very well.

Hope this resolves your issue.

The best method would be to use your firewall.

Will.

Just installing a firewall won't resolve your problem. You need to configure it to either only allow your users access to OWA or check the attempted connections to see where they are coming in from. If they are from foreign countries and you don't have users in foreign countries, you can see of your firewall can block the OWA port for those countries.

If you do have a firewall installed, I'd find an export to install and configure it properly for your network.

When a user attempts to authenticate against OWA, their credentials are checked by Exchange on a Domain Controller. This will generate an entry in the server's security log. Unfortunately, these logs are "busy", and difficult to read manually.

Thus, you need a tool to parse, analyse and make sense out of a security log, fortunately such things exist.

Here ae a few links to get you started:

https://www.manageengine.com/products/eventlog/
http://www.microsoft.com/en-au/download/details.aspx?id=24659
http://go.solarwinds.com/LEM/NA/event-log-analyzer?&CMP=KNC-TAD-GGL-LEM_APAC_AU_P-LEM-DL-X&gclid=CLO5xInR1McCFYUHvAod4EUNzg

If the invalid logins are from your employees, then identify them by searching the windows logs and review the situation with them.

If the invalid logins are from hackers, then you need a firewall or more vigorous security software to manage the situation for you so you don't have to be there 24x7 manually managing the problem.

Evaluate the situation and take the appropriate action.

OWA uses windows server, so I have windows integrated firewall and I don't know how it can help me to identify basic attack attempts to OWA

The risks are from external hackers

Where could I find more vigorous security software for OWA to maintain composure about the problem? :)

I also want to monitor failed logins attempts and approved logins from any users, including myself :)