Paranoid newbie reviewing security logs

Discussion in 'Server Security' started by Rich Palarea, Nov 4, 2004.

  1. Rich Palarea

    Rich Palarea Guest

    All:

    I'm running Windows Server 2003 Standard as a web and e-mail server (POP3,
    SMTP). IIS 6.0 is running. I administer the server via Remote Desktop.

    1. I notice many entries in the Event Viewer Security log for failed logins
    where reason reads "unknown user name or bad password". The entries occurr
    daily and seem to be automated because they are within microseconds of each
    other. They seem to use usernames that are a guess...like "oracle" or
    "admin" or "administrator". They come from the same IP and domain within a
    block of time, then change.

    2. I've also noticed successful logons from some of the same workstations.
    The failed logon precedes the successful logon. The successful logon will
    use logon process: NtLmSsp with authentication package NTLM.

    3. Next, I will see attempts to access the SAM object by the local server
    name appended with $. Sometimes these attempts fail. The accesses are
    EnumerateDomains and LookupDomain

    Is this an intrusion? I have changed the admin account login username and
    password from the Windows default and disabled unnecessary accounts. How to
    I protect myself from these attacks, if that is what they are?

    Thanks!
    Rich
     
    Rich Palarea, Nov 4, 2004
    #1
    1. Advertisements

  2. Firewall !. If you administer from inside your network, you only need ports
    for web,pop3.
     
    Fernando Peralta, Nov 5, 2004
    #2
    1. Advertisements

  3. Rich Palarea

    Rich Palarea Guest

    Which is what I have enabled using Routing and Remote Access server (and the
    port for terminal services). My question is about the suspicious activity
    noted in the serurity logs. Could this be unauthorized access? If so, how do
    I prevent this without a hardware firweall (service provider where the
    server is hosted charges $500/mo for Netscreen).
     
    Rich Palarea, Nov 5, 2004
    #3
  4. If you have Remote/ Terminal Server access from the Internet than you are
    going to see these even with a firewall. Just make sure all your
    usernames/password and very strong and you should be fine. Also be sure to
    disable File and Print Sharing and turn off Netbios.
     
    Scott Harding - MS MVP, Nov 5, 2004
    #4
  5. Rich Palarea

    Rich Palarea Guest

    Thanks, Scott.

    I do have the server currently setup the way you suggest (no netbios, no
    file/print sharing).

    Is there a utility or way to view the SAM database? I see that changes to
    the SAM are being made in the logfiles. I'm not certain if they are all
    changes that I've made or not. I'm wondering if someone has gained access
    from outside and created backdoor accounts that don't show in the user
    manager.

    Thanks, again.
    Rich
     
    Rich Palarea, Nov 8, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.