Windows server 2003 security. How to protect against 100's of invalid logons to the server??

Discussion in 'Server Security' started by gonzal kamikadze, Aug 12, 2005.

  1. I have a server hosting my and few other websites 24/7. I'm logging on
    remoty to the server. In the last couple of days I had 100's of entries in
    my Event Viewer/Security where someone was truing to logon and guess the
    administrator password. Is there any way of protecting my self against that
    kind of attack?



    Q1) How to block other country IP addresses from logging on to a server (a
    logon to the server will only be allowed for example only from Germany)? But
    enable all the other services like http, mail, sql. to be accessed world
    wide.



    Q2) Is there a software (or is windows server 2003 capable of) that will
    temporary block an IP address for x amount of hours or day if it finds that
    someone is truing to guess a password (for example; after 3 attempts to
    logon it will block the IP address for 3days insted of blocking the user
    account)



    Q3) How to disable anonymous logon??

    In my Event Viewer / Security sometimes I have the following entry:

    Success Audit [date] [time] Security Logon/Logout 540
    ANONYMOUS LOGON [server name]

    Followed by a logout entry the same time



    Does the above event in my event Viewer represents a successfull logon as an
    anonymous logon?

    My guest account on that server is disabled.





    Tanks,

    Regards,
     
    gonzal kamikadze, Aug 12, 2005
    #1
    1. Advertisements

  2. Your best bet would be to configure your firewall to block the IP
    addresses/IP range that you want to block. Since you are getting a lot of
    attacks on your administrator account make sure that your server is not
    offering services to internet that it should not be such as for file and
    print sharing. At least the external adapter should have file and print
    sharing and netbios over tcp/ip disabled and for all network adapters if not
    needed. For a quick vulnerability scan go to a self scan site such as
    http://scan.sygatetech.com/ . Run the Microsoft Baseline Security Analyzer
    on your server and if it is Windows 2000 be sure to run the IIS
    Lockdown/URLscan tool after backing up your server including the IIS
    configuration. The anonymous logon events are for null sessions that the
    operating system commonly uses for file and print sharing/browse list.
    Disabling file and print sharing/netbios over tcp/ip should make them go
    away if they are not needed. There are options in security policy to
    restrict anonymous access. The links below may help. --- Steve

    http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
    http://www.microsoft.com/technet/security/tools/locktool.mspx --- IIS
    Lockdown/URLScan
    http://www.microsoft.com/technet/security/prodtech/WebServices.mspx ---
    TechNet Security for web services
    http://support.microsoft.com/?kbid=246261 --- restrict anonymous in Windows
    2000 with description of ramifications of.

     
    Steven L Umbach, Aug 15, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.